CVE-2017-4928

The flash-based vSphere Web Client 6.0 prior to 6.0 U3c and 5.5 prior to 5.5 U3f i.e. not the new HTML5-based vSphere Client, contains SSRF and CRLF injection issues due to improper neutralization of URLs. An attacker may exploit these issues by sending a POST request with modified headers toward...

CVE-2017-4928

CVE-2017-4928 affects the Flash-based vSphere Web Client (not the HTML5 client). The issue stems from improper neutralization of URLs, enabling SSRF and CRLF injection that could allow an attacker to send a crafted POST request towards internal services and disclose information. Affected VMware p...

VMware vCenter Server Information Disclosure Vulnerability (CNVD-2017-33977)

VMware vCenter Server provides a centralized, scalable platform for managing virtual infrastructure. An information disclosure vulnerability exists in VMware vCenter Server versions 5.5, 6.0, and 6.5. A remote user can trigger the URL authentication vulnerability by sending a specially crafted PO...

Creation of Platform Layer fails with a time out error from Vsphere

During creation of Platform layer, Task fails and we get an error on the App layering console as "A timeout occurred waiting for a vsphere task to complete"...

KLA11142 DoS and OSI vulnerabilities in VMware products

Multiple serious vulnerabilities have been found in VMware vCenter Server and vSphere Web Client. Malicious users can exploit these vulnerabilities to cause denial of service or disclose sensetive information. Below is a complete list of vulnerabilities: 1. An unspecified vulnerability in VMware...

Backup jobs fail intermittently with Error observed by underlying BIO:

Challenge Intermittent network failures when communicating to the VMware host. The errors can vary but all have some variation of: "Error observed by underlying BIO: No such file or directoryDetail: 'SSL connect failed in tcpconnect', endpoint:" Guest processing credentials test will also fail ov...

The vulnerability of the software for managing Vmware vSphere Client lies in the improper limitation of XML references to external objects, which allows an attacker to access confidential information.

The vulnerability of the software for managing Vmware vSphere Client is related to incorrect restrictions on XML references to external objects. Exploiting this vulnerability can allow a malicious actor to gain access to confidential information by convincing users to connect to the malicious...

Unable to import App Layering OS Layer to ELM from vSphere

After creating a vSphere connector and selected the host and VM to import into the Enterprise Layer Manager ELM as an OS layer, the operation will timeout within a few minutes. vSphere shows an exporting task stuck at 0% before timing out...

The vulnerability of the backup tool for virtual machines in vSphere Data Protection, caused by deserialization issues, allows a perpetrator to execute commands on the device.

The vulnerability of the backup tool for vSphere Data Protection stems from deserialization issues. Exploiting this vulnerability allows a malicious actor to execute commands on the device remotely...

Hot-add of Digest Enabled Disk Not Supported

The CachePoint Appliance could not create the boot image of Windows 10. Error is: Failed to reattach disks to the desktop that were temporarily attached to the CachePoint Appliance. In vSphere a vm reconfigure task displays, "Hot-add of digest enabled disk not supported"...

VMware vSphere Data Protection (VDP) Multiple Vulnerabilities

VMware vSphere Data Protection VDP is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

VMware VDP Known SSH Key Exploit

VMware vSphere Data Protection appliances 5.5.x through 6.1.x contain a known ssh private key for the local user admin who is a sudoer without password. This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'net/ssh'...

Visit Trend Micro at VMworld 2017

Trend Micro will be at VMworld 2017 in Las Vegas on August 27th – 31st, showing why experience matters when it comes to automated security for your data center and cloud environments. Stop by our booth, 610, to chat with our security experts, and enter our daily draws to win a Phantom 3 Drone! Se...

VMSA-2017-0012:VMware VIX API VM Direct Access Function security issue

VMSA-2017-0012 VMware VIX API VM Direct Access Function security issue VMware Security Advisory VMware Security Advisory Advisory ID: VMSA-2017-0012 VMware Security Advisory Severity: Important VMware Security Advisory Synopsis: VMware VIX API VM Direct Access Function security issue VMware...

CVE-2017-4919

VMware vCenter Server 5.5, 6.0, 6.5 allows vSphere users with certain, limited vSphere privileges to use the VIX API to access Guest Operating Systems without the need to authenticate...

Design/Logic Flaw

VMware vCenter Server 5.5, 6.0, 6.5 allows vSphere users with certain, limited vSphere privileges to use the VIX API to access Guest Operating Systems without the need to authenticate...

CVE-2017-4919

VMware vCenter Server 5.5, 6.0, 6.5 allows vSphere users with certain, limited vSphere privileges to use the VIX API to access Guest Operating Systems without the need to authenticate...

VMware vSphere Data Protection Command Execution and Information Disclosure Vulnerabilities

VMware vSphere Data Protection is prone to an arbitrary command-execution and information disclosure vulnerabilities. SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders...

VMware vSphere Data Protection Remote Code Execution (CVE-2017-4914)

Multiple vulnerabilities have been reported in VMware vSphere Data Protection. The vulnerabilities are due to improper Java deserialization and use of reversible encryption. A remote attacker could exploit one of the vulnerabilities by sending specially crafted data to the targeted server, which...

VMware vSphere Data Protection 5.x/6.x - Java Deserialization(CVE-2017-4914)

No description provided by source. !/usr/bin/env python import socket import sys import ssl def getHeader: return '\x4a\x52\x4d\x49\x00\x02\x4b' def payload: cmd = sys.argv4 cmdlen = lencmd data2 =...