VMware Releases vCenter Server Replace to Repair Crucial RCE Vulnerability
VMware has launched software program updates to handle an already patched safety flaw in vCenter Server that might pave the best way for distant code execution.
The vulnerability, tracked as CVE-2024-38812 (CVSS rating: 9.8), issues a case of heap-overflow vulnerability within the implementation of the DCE/RPC protocol.
“A malicious actor with community entry to vCenter Server could set off this vulnerability by sending a specifically crafted community packet probably resulting in distant code execution,” Broadcom-owned virtualization companies supplier said.
The flaw was initially reported by zbl and srs of workforce TZL on the Matrix Cup cybersecurity competitors held in China earlier this yr.
“VMware by Broadcom has decided that the vCenter patches launched on September 17, 2024 didn’t totally tackle CVE-2024-38812,” the corporate famous.
Patches for the flaw can be found within the beneath vCenter Server variations –
- 8.0 U3d
- 8.0 U2e, and
- 7.0 U3t
It is also obtainable as an asynchronous patch for VMware Cloud Basis variations 5.x, 5.1.x, and 4.x. There are not any recognized mitigations.
Whereas there is no such thing as a proof that the vulnerability has been ever exploited within the wild, customers are suggested to replace to the newest variations to safeguard towards potential threats.
In July 2021, China passed a law that requires vulnerabilities found by researchers within the nation to be promptly disclosed to the federal government and the product’s producer, elevating issues that it might assist nation-state adversaries stockpile zero-days and weaponize them to their benefit.