vCenter's phone-home 'customer improvement' feature opened remote code execution hole

VMware's also released first vSphere 6.5 hardening guide

Ever worried that software phoning home application performance data so vendors can learn from real-world users might become an attack vector? If so, your nightmare just came true: VMware's vCenter has just that problem, thanks to its use of the Adobe-derived open source BlazeDS messaging tool to process messages.

VMware's issued patches to vCenter 6.0 and vCenter 6.5, both rated critical. Previous versions of vCenter don't have the problem. But even users who opted out of VMware's Customer Experience Improvement Program are susceptible.

The news isn't all bad for VMware on the security front: last week its VSAN hyperconverged software stack won a spot on the Defense Information Systems Agency's Security Technical Implementation Guide. Making the list means VSAN is certified to run on United States Department of Defence networks. Virtzilla reckons VSAN's the first hyperconverged stack to score a spot on the list. VMware has deep entanglements with the US military, so this will be welcome news as it gives the company a good chance of upgrading agencies to its ever-more-extensive range of wares. VSAN's also rated secure enough to run on a nuclear submarine, so Pentagon workloads should be a doddle.

The company's also popped the first hardening guide for vSphere 6.5. Some of the guide's (.XLSX) 68 suggestions aren't rocket science – you probably don't need to be told to keep ESXi patched. But there's also some nicely detailed stuff on topics like how best to configure bidirectional authentication when connecting vSphere to an iSCSI device. ®

Biting the hand that feeds IT © 1998–2019