VMware Security Advisory

VMware Security Advisory VMSA-2017-0017

Constantin Ghioc VMware

VMware has released a new security advisory: “VMSA-2017-0017 – VMware vCenter Server update resolves LDAP DoS, SSRF and CLRF injection issues“.

VMSA-2017-0017 advisory covers two issues affecting VMware vCenter Server:

  • CVE-2017-4927 – VMware vCenter Server doesn’t correctly handle specially crafted LDAP network packets which may allow for remote DoS. This issue affects vCenter Server 6.5 and 6.0. vCenter Server 6.5 Update 1 and 6.0 Update 3c fix this issue.
  • CVE-2017-4928 – SSRF and CRLF injection issues in vSphere web client. An attacker may exploit the Flash-based vSphere Web Client by sending a POST request with modified headers towards internal services leading to information disclosure. This issue affects vCenter Server 6.0 and 5.5. vCenter Server 6.0 Update 3c and 5.5 Update 3f fix this issue.

VMware vCenter Server 6.0 Update 3c

VMware vCenter Server 6.0 Update 3c referenced in VMSA-2017-0017 advisory is a new release for 6.0 branch. The new update fixes issues in multiple zones:

  • slow login times
  • vCenter Server fails due to аn ODBC error
  • vSphere Web Client might show incorrect count of virtual machines in a port group
  • When you create a new port in a vSphere Distributed Switch you might get an error
  • vNICs of VMs might lose connection after a refresh of VMware Horizon view pool
  • vCenter Server might become unresponsive while Storage DRS is enabled
  • Storage DRS might fail with incorrect NoDiskSpace error
  • Attempts to join Active Directory domains fail intermittently with error LW_ERROR_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
  • Hardware information on the Host Summary page might display an error
  • vSphere Web Client might not show the advanced performance charts to users with role privileges
  • Setup of a scheduled task to migrate VMs between vCenter Server instances might fail with an error
  • A consecutive scheduled task for virtual machine configuration might fail
  • Shutdown or restart of a virtual machine with guest OS using vSphere Web Client might fail
  • Cluster maintenance mode takes long to get DRS recommendations
  • Guest customization might fail with an error GUESTCUST_EVENT_CUSTOMIZE_FAILED
  • Guest OS customization might fail when you use the vSphere API
  • SNMP shows CPU and memory utilization of a VCSA constantly at 100 percent
  • Login of Active Directory domain user accounts ending with a dollar sign fails on vCenter Server and ESXi hosts

A series of components is also updated: Spring Framework to 4.3.5, vPostgres to 9.3.17, OpenSSL to 1.0.2k, Oracle JRE to 1.7.0_151, Python to 2.7.13, Taglibs to 1.2.5. For full list of fixes check the release notes.

VMware also released a patch for vSphere 6.0: Patch Release ESXi600-201711001 (2151126).

Start testing 🙂

You can check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.

Constantin Ghioc

I usually play with vSphere API, Ansible, vRealize Automation, vRealize Orchestrator, and different AWS tools. In my other life I’m a husband and a father, an amateur photographer and a Go enthusiast.

Leave a Reply