14 DAY TRIAL // In a recent VMware update, several security fixes for vulnerabilities affecting Apache Struts Java application framework have been implemented in vCenter Operations Management Suite (vCOps).
One of the flaws, identified as CVE-2014-0112, would allow remote code execution from a potential attacker; it appears that the problem had been previously addressed with CVE-2014-0094, but the issue had been only partially solved.
This security fix comes more than one month after Apache Struts received the previous patch. Its description says that “ParametersInterceptor in Apache Struts before 2.3.16.2 does not properly restrict access to the getClass method, which allows remote attackers to ‘manipulate’ the ClassLoader and execute arbitrary code via a crafted request.”
Another flaw, identified as CVE-2014-0050, is less serious and, if exploited by a remote attacker, could lead to a denial-of-service condition, continuously consuming CPU resources.
All users of vCenter Operations Management Suite are advised to update to the latest version of the suite, which at the moment is 5.8.2.
vCOps is designed to help automate the management of operations by using patented analytics. It can be used to prevent performance problems by offering information about the current health, risk and efficiency of virtual and physical infrastructures, as well as of operating systems and applications.