In the middle of last week VMware issued security updates for the following products:
VMware vCenter Server
VMware vCloud Director
VMware Horizon View
These updates address 1x information disclosure security vulnerability (CVE, defined). This vulnerability was responsibly disclosed (defined) by security researcher Matthias Kaiser from Code White.
Why Should This Issue Be Considered Important?
Since multiple VMware products have this vulnerability which could be used to leak the contents of sensitive files on your network, this issue should be patched as soon as possible.
This issue occurs since the XML (defined) parser (a program that analyzes data in a structured manner in order to create meaning from it) contained within Apache Flex BlazeDS 4.7.0 (and earlier) when passed a specifically crafted request parameter (a value to be placed into a program before it carries out a task) could be used to access the contents of a file on your network.
An example of the path (a means of locating/looking up a file starting from the root (beginning) of a file system and progressing towards the desired file) to such a file is shown on the final line of the first code snippet (paragraph) with the title “Disclosing /etc/passwd or other targeted files” of this article from OWASP.
Where etc/passwd is the password file of a Linux/Unix system that stores hashed (defined) user account credentials. Such an attack is called an XML External Entity (XXE) attack (defined). Most importantly, Code White within a blog post discussing this issue describe the issue as easy for an attacker to exploit.
How Can I Protect Myself From This Issue?
VMware have released updates to resolve this issue within the affected products. Please refer to VMware’s security advisory to download the necessary updates.
OWASP also list best practices to avoid XXE attacks in general with examples for many popular programming languages.
Thank you.