VMware issued a security advisory for multiple vulnerabilities that impact VMware ESXi and vCenter Server products. The vulnerability severity ranges from a CVSS base score of 4.2 to 7.7.
The VMware ESXi updates address one command injection (CVE-2017-16544) and one information disclosure vulnerability (CVE-2019-5531).
The VMware vCenter Server updates address two information disclosure vulnerabilities (CVE-2019-5532 and CVE-2019-5534). The latter two are the most severe with CVSS base scores of 7.7 each.
The information disclosure bug CVE-2019-5532 is caused by the logging of credentials in plain-text for virtual machines deployed through OVF.
“A malicious user with access to the log files containing vCenter OVF-properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF (typically the root account of the virtual machine),” VMware noted in the advisory.
The other high severity information disclosure vulnerability CVE-2019-5534 is in the vAppConfig properties of vCenter. Similar to the previously mentioned bug, an attacker may be able to view the credentials (via query of vAppConfig properties) used to deploy the OVF.
Finally, the other two updates include a patch for VMware ESXi ‘busybox’ command injection vulnerability (CVE-2017-16544) and ESXi Host Client, vCenter vSphere Client and vCenter vSphere Web Client information disclosure vulnerability (CVE-2019-5531).