VMware has fixed a critical flaw in its vCenter Server that could be exploited to execute code remotely. The vulnerability affects vCenter versions 6.5 and 6.0. Users are urged to upgrade to versions 6.5c or 6.0U3b.
US-CERT warned about the vulnerability, stressing exploitation could result in an attacker taking control of an affected system, in an alert posted on Friday.
vCenter Server, formerly known as VirtualCenter, is a tool used for managing vSphere virtual environments.
The vulnerability technically stems from the usage of BlazeDS to process AMF3 messages. BlazeDS, originally developed by Adobe, is a server-based Java remoting and web-based messaging technology. AMF3, or Action Message Format 3, is a compact binary is a message format, also developed by Adobe, used by Flash apps to communicate and to serialize ActionScript object graphs.
The vulnerability could allow an attacker to execute arbitrary code when deserializing an untrusted Java object, according to VMware’s security advisory.
Source: http://www.vmware.com/security/advisories/VMSA-2017-0007.html