Tech

VMware patches severe XSS flaws in vRealize software

The flaws could lead to the compromise of user workstations.

Written by Charlie Osborne, Contributing Writer March 17, 2016 at 5:20 a.m. PT

VMware has patched two serious vulnerabilities in the firm's vRealize software which could lead to remote code execution and the compromise of business workstations.

In a security advisory posted on Tuesday, the Palo Alto, California-based firm said the "important" vulnerabilities are found within the VMware vRealize Automation and VMware vRealize Business Advanced and Enterprise software platforms.

The bugs, CVE-2015-2344 and CVE-2016-2075, are Cross-Site Scripting (XSS) issues. XSS exploits occur when a vulnerability in software or apps permit the injection of code client-side, leading to problems including remote code execution, the download of malicious code and system compromise.

Security

The first vulnerability, CVE-2015-2344, impacts VMware vRealize Automation 6.x before 6.2.4 on the Linux operating system, while the second flaw, CVE-2016-2075, affects VMware vRealize Business Advanced and Enterprise 8.x before 8.2.5, again on Linux only.

An independant researcher, Lukasz Plonka, reported the first XSS vulnerability, while Deloitte security researcher Alvaro Trigo Martin de Vidales found and informed VMware of the second issue.

Builds on other operating systems including Microsoft Windows are not affected.

Users are being urged to update as soon as possible. The patches follow the reissue of a security fix for a problem thought to have been adequately patched in October 2015, a critical remote code execution vulnerability in the vCenter Server platform.

In the last month, VMware has been travelling through a corporate shuffle, having lost three key executives in quick succession. Martin Casado, the former head of VMWare's NSX business, CFO Jonathan Chadwick and Carl Eschenbach, VMware's former chief operating officer have all departed to pursue other opportunities.