"VMware Patches Code Execution Vulnerability in vCenter Server"

VMware recently announced patches for a vCenter Server vulnerability that could lead to arbitrary code execution.  The vCenter Server, a centralized management utility, is used for controlling virtual machines and ESXi hosts, along with their dependent components.  The patched security bug is tracked as CVE-2022-31680 (CVSS score of 7.2).  The security bug is described as an unsafe deserialization vulnerability in the platform services controller (PSC).  Researchers at Cisco Talos found and reported the bug and stated that a malicious actor with admin access on the vCenter Server may exploit this issue to execute arbitrary code on the underlying operating system that hosts the vCenter Server.  The vulnerability was addressed with the release of VMware vCenter Server 6.5 U3u.  This week, VMware also released a patch for a low-severity denial-of-service (DoS) vulnerability in the VMware ESXi bare metal hypervisor.  Tracked as CVE-2022-31681, the issue is described as a null-pointer dereference flaw that could allow "a malicious actor with privileges within the VMX process only" to create a DoS condition on the host.  The bug was addressed with ESXi versions ESXi70U3sf-20036586, ESXi670-202210101-SG, and ESXi650-202210101-SG. VMware noted that Cloud Foundation (ESXi) is also impacted by this vulnerability.  The company recommends that all customers update to a patched version of the impacted software.  The company did not mention if any of these vulnerabilities are being exploited in attacks.

SecurityWeek reports: "VMware Patches Code Execution Vulnerability in vCenter Server"