|VMware Security Advisory|
|Synopsis:||VMware product updates address a critical deserialization vulnerability|
|Updated on:||2015-12-18 (Initial Advisory)|
vCenter Orchestrator 5.x
A deserialization vulnerability involving Apache Commons-collections and a specially constructed chain of classes exists. Successful exploitation could result in remote code execution, with the permissions of the application using the Commons-collections library.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-6934 to this issue.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available
|vRealize Orchestrator||7.0||Any||Not Affected|
|vRealize Operations||6.x||Windows||Patch Pending *|
|vCenter Operations||5.x||Windows||Patch Pending *|
|vCenter Application Discovery Manager (vADM)||7.x||Any||Patch Pending|
* Exploitation of the issue on vRealize Operations and vCenter Operations is limited to local privilege escalation.
Downloads and Documentation: http://kb.vmware.com/kb/2141244
Created on December 18, 2015 by Rick Scherer
Posted under Alert.
This blog has 33,303 views.