Menu
VMware catches up with some Apache Struts patches, but not all

VMware catches up with some Apache Struts patches, but not all

The company updates the version of Struts included in its vCenter Operations Management Suite product

Two months after critical vulnerabilities were patched in Apache Struts, a popular open-source framework for developing Java-based Web applications, VMware released a security update to incorporate the fixes in its vCenter Operations Management Suite product but appears to have left out a more recent patch.

The vCenter Operations Management Suite can be used to monitor and manage the performance, capacity and configuration of virtualized infrastructure. It depends on Struts for some of its features.

"The Apache Struts library is updated to version 2.3.16.2 to address multiple security issues," VMware said in a security advisory Tuesday that coincided with the release of vCenter Operations Management Suite (vCOps) version 5.8.2.

Apache Struts 2.3.16.2 was an emergency update released on April 24 after it was revealed that a fix included in Struts 2.3.16.1 for a remote code execution vulnerability was insufficient and could be bypassed.

The bypass was treated as a separate vulnerability and was assigned the CVE-2014-0112 tracking number, superseding the original issue known as CVE-2014-0094.

The vCOps 5.8.2 also incorporated a patch for a denial-of-service vulnerability tracked as CVE-2014-0050 that was also originally patched in Struts 2.3.16.1.

"VCOps is affected by both CVE-2014-0112 and CVE-2014-0050," VMware said in its advisory. "Exploitation of CVE-2014-0112 may lead to remote code execution without authentication."

Users of the older vCOps 5.7.x branch are advised to either upgrade to vCOps 5.8.2 or to manually apply a workaround described in a separate knowledge base article.

Another VMware product called vCenter Orchestrator (vCO) is affected only by the denial-of-service issue (CVE-2014-0050), but no patch has been released yet.

The Struts developers further improved their fix for CVE-2014-0094 and CVE-2014-0112 in Struts 2.3.16.3, released on May 3, after discovering that their previous patches still didn't cover all possible exploits.

The new fix addressed a medium-risk exploit that could have allowed attackers to manipulate the internal state of sessions and requests. The issue received the tracking number CVE-2014-0116.

Since vCOps was affected by CVE-2014-0094 and CVE-2014-0112, it's likely that it is also affected by CVE-2014-0116 since all three vulnerabilities stem from the same underlying problem. However, the new VMware advisory doesn't mention CVE-2014-0116 or Struts 2.3.16.3.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags patchesintrusionsecuritypatch managementExploits / vulnerabilitiesVMware

Featured

Slideshows

Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Veritas honours top performing trans-Tasman partners

Veritas honours top performing trans-Tasman partners

Veritas honoured its top performing partners across the channel in Australia and New Zealand, recognising innovation and excellence on both sides of the Tasman. Revealed under the Vivid lights in Sydney, Intalock claimed the coveted Partner of the Year 2017 (Pacific) award, with Data#3 acknowledged for 12 months of strong growth across the market. Meanwhile, Datacom took home the New Zealand honours, with Global Storage and Insentra winning service provider and consulting awards respectively. Dicker Data was recognised as the standout distributor of the year, while Hitachi Data Systems claimed the alliance partner award. Photos by Bob Seary.

Veritas honours top performing trans-Tasman partners
Show Comments