Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Remote Code Execution Vulnerability Patched in VMware Cloud Director

VMware informed customers on Tuesday that it has patched a high-severity remote code execution vulnerability in its Cloud Director product.

VMware informed customers on Tuesday that it has patched a high-severity remote code execution vulnerability in its Cloud Director product.

The vulnerability, tracked as CVE-2020-3956, has been described as a code injection issue that allows an authenticated attacker to send malicious traffic to Cloud Director, which could result in arbitrary code execution.

“This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access,” VMware said in its advisory.

The security flaw impacts VMware Cloud Director 10.0.x, 9.7.x and 9.5.x on Linux and Photon OS appliances, and version 9.1.x on Linux. Versions 8.x, 9.0.x and 10.1.0 are not affected.

VMware has released updates that should patch the vulnerability, as well as a workaround that users can apply to prevent attacks.

Tomáš Melicher and Lukáš Václavík of Citadelo have been credited for reporting the issue to VMware.

Advertisement. Scroll to continue reading.

Earlier this month, VMware released patches for vRealize Operations Application Remote Collector (ARC) to address a couple of recently disclosed Salt vulnerabilities that have already been exploited to hack organizations.

In April, the virtualization giant patched a critical vulnerability that can be exploited by hackers to compromise vCenter Server or other services. Researchers disclosed details about the flaw a few days later.

Related: VMware Again Fails to Patch Privilege Escalation Vulnerability in Fusion

Related: VMware Patches Serious Flaws in vRealize Operations for Horizon Adapter

Related: VMware Patches ESXi Vulnerability That Earned Hacker $200,000

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

BlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.

Solana Foundation has appointed Michael Coates as Chief Information Security Officer.

Michael Sikorski has joined Coinbase as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.