Patches issued for VMware’s vSphere ESXi, VMware vCenter Server
SC magazine | September 18, 2019
VMware issued a security advisory containing several security updates for its vSphere ESXi and VMware vCenter Server products to patch command injection and information disclosure vulnerabilities. Two of the vulnerabilities, CVE-2019-5532 and CVE-2019-5534, are rated as “important” with CVE-2017-16544 and CVE-2019-5531 considered “moderate” issues, VMware reported. CVE-2019-5534 covers an issue where virtual machines deployed in an Open Virtualization Format (OVF) could expose login information via the virtual machine’s vAppConfig properties. This can be resolved by updating to the latest version. CVE-2019-5532 covers a situation where a malicious user with access to the log files containing vCenter OVF-properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF. This is typically done through the root account of the virtual machine. A patched version is now available for upload.