Patch released for VMware vulnerability

Cloud and virtualization software company VMware Inc., has released a patch for a security flaw in its servers that could allow unauthorized users to access files.
“VMware View contains a critical directory transversal vulnerability that allows an unauthenticated remote attacker to retrieve arbitrary files from View servers,” a post on the company’s security advisory site said. “Exploitation of this issue may expose sensitive information stored on the server.”

The post said the vulnerability affects both the View connection server and the View security server and recommended that customers immediately update both servers to a fixed version of View.

Related content 

New VMware management, security tools coming

Will OpenStack welcome VMware?

Users who are not able to update their View servers are advised to follow these options:

–       Disable security server. This will prevent exploitation of the vulnerability over untrusted remote networks. To restore functionality for remote users, allow them to connect the connection server via VPN

–       Block directory transversal attempts. You may be able to prevent exploits of this flaw by blocking transversal attacks with and intrusion protection system or application layer firewall

The vulnerability was first reported to VMware in October by the vulnerability research team of Digital Defense Inc., a Texas-based digital risk auditing firm.

In the process of conducting a vulnerability test on VMware View systems, DDI found that a guest user who had been granted access to specific files on a virtual machine could prompt the VM to retrieve files that other users should not have access to, said  Javier Castro, senior vulnerability researcher at DDI said in an interview with Computerworld.

A potential intruder could access file systems on a Web server to get hold of hashed passwords, he said.

Read the whole story here

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Nestor E. Arellano
Nestor E. Arellano
Toronto-based journalist specializing in technology and business news. Blogs and tweets on the latest tech trends and gadgets.

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now