VMware ESXi and vCenter Server updates address command injection and information disclosure vulnerabilities. (CVE-2017-16544, CVE-2019-5531, CVE-2019-5532, CVE-2019-5534)

1. Impacted Products

• VMware vSphere ESXi (ESXi)

• VMware vCenter Server (vCenter)

2. Introduction

ESXi and vCenter updates address multiple vulnerabilities.

• CVE-2017-16544: VMware ESXi command injection vulnerability
• CVE-2019-5531: ESXi Host Client, vCenter vSphere Client and vCenter vSphere Web Client information disclosure vulnerability
• CVE-2019-5532: VMware vCenter Server information disclosure vulnerability
• CVE-2019-5534: VMware vCenter Server Information disclosure vulnerability in vAppConfig properties

3a. VMware ESXi ‘busybox’ command injection vulnerability- CVE-2017-16544

**Description: **

ESXi contains a command injection vulnerability due to the use of vulnerable version of busybox that does not sanitize filenames which may result into executing any escape sequence in the shell. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.7.

Known Attack Vectors:

An attacker may exploit this issue by tricking an ESXi Admin into executing shell commands by providing a malicious file.

Resolution:

To remediate CVE-2017-16544 update/upgrade to the versions listed in the ‘Fixed Version’ column of the ‘Resolution Matrix’ found below.

Workarounds:

None.

Additional Documentations:

None.

Acknowledgements:

VMware would like to thank Zhouyuan Yang of Fortinet’s FortiGuard Labs for notifying about this issue to us.

Response Matrix: