vCenter’s phone-home ‘customer improvement’ feature opened remote code execution hole
Ever worried that software phoning home application performance data so vendors can learn from real-world users might become an attack vector? If so, your nightmare just came true: VMware’s vCenter has just that problem, thanks to its use of the Adobe-derived open source BlazeDS messaging tool to process messages.
VMware’s issued patches to vCenter 6.0 and vCenter 6.5, both rated critical. Previous versions of vCenter don’t have the problem. But even users who opted out of VMware’s Customer Experience Improvement Program are susceptible.
To read the entire article, please click on this link https://www.theregister.co.uk/2017/04/18/vmware_security_roundup/