VMware has released this week three security updates for a number of its products, including VMware Horizon, vSphere Products.
Vmware has published an advisory to notify users that VDP versions (5.5.x, 5.8.x, 6.0.x and 6.1.x) are affected by two critical Java deserialization and credentials management flaws.
vSphere Data Protection is a backup solution for use in vSphere environments and is regularly run in tandem with VMware’s vCenter Server and vSphere Web Client.
The product is affected by a Java deserialization flaw that could allow an attacker to execute commands. Tim Roberts, Arthur Chilipweli, and Kelly Correll, security consultants from NTT Security, discovered the flaw, according to the advisory.
The company also reported another vulnerability in VDP pertaining to how it stores credentials. VDP saves credentials from vCenter Server using reversible encryption, something that could allow plaintext credentials be stolen.
VMware has published another advisory this week represents a command injection vulnerability affecting the Horizon View Client for Mac.
The company said:
Kapsch BusinessCom AG researcher found that the application has a command injection vulnerability in the service status script. An unprivileged attacker can exploit the flaw to escalate privileges to root on the affected Mac OS X system.
Vmware users are recommended to review the patch/release notes for the product and version and verify the checksum of the downloaded file.