back to article VMware, Xen issue urgent patches

VMware has let it be known that its vRealize Orchestrator, vRealize Operations, vCenter Operations and vCenter Application Discovery Manager products all need fixing to harden them against “a critical deserialization vulnerability”. The flaw involves “Apache Commons-collections and a specially constructed chain of classes” and …

  1. RIBrsiq

    Dammit, Microsoft! Can't you learn to write secure code...?

    Oh, wait...

    1. Anonymous Coward
      Anonymous Coward


      Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft?

      People need to give themselves a shake and stop using MS products!


  2. Nate Amsden Silver badge

    as a happy vmware customer for 16 years

    Happier that I've never used any of the products mentioned. (Happy to not use xen too)

    1. DougMac

      Re: as a happy vmware customer for 16 years

      Although if you have windows vCenter, you already have Orchestrator pre-installed.

      It just isn't enabled to run by default.

      Imagine if it was though, and just because you didn't use it, doesn't mean it isn't there ready to cause a security problem..

  3. Anonymous Coward
    Anonymous Coward

    This is what you get for using C! hahahahaha ... Oh, it's Java! I thought that was one of those "secure" languages that does bounds checks etc at runtime and totally avoids security issues. oh noes!

    1. Anonymous Coward
      Anonymous Coward

      As you well know there's no such thing as a secure language, at least not one that does useful stuff. However, Java doesn't do the idiotic "write past the end of the buffer and keep going" thing that C does, so in that respect it is more secure. (Well, ok, java isn't bulletproof, but buffer overflows are not a language "feature" like in C.)

      1. asdf
        Thumb Down

        you are right

        Nope Java standard just has the mother of all runtimes that is doomed to be eternally insecure and bloaty. At least with C for the most part the exploits you roll out with either be your own or code you explicitly included.

      2. agatum

        > However, Java doesn't do the idiotic "write past the end of the buffer and keep going" thing that C does

        C does no such thing. C _enables_ you to do such thing. Like, if you are an idiot, you can hit yourself with a hammer. Hammer is not to blame.

        1. asdf

          to be that guy

          >C _enables_ you to do such thing.

          Well to be devil's advocate it practically guarantees on any complex code base with successive generations of programmers of varying competence (the norm in corporate enterprise) it will be done multiple times and several may never get caught as a code review may be done half ass by an even more incompetent dev and QA departments are almost always considered nothing but a cost and staffed often with people who struggle to turn a computer on (to reduce costs). A smug C++ 12 dev would mention that smart pointers give the benefits of both worlds but again with the corporate environments love of cheap freshouts and parochial management other much more creative exploits will be generated even if this simple one is eliminated with business rules and processes. What was the point again? Oh yeah groups of people are retarded and generally dumber than their dumbest cog.

        2. sabroni Silver badge

          re: C does no such thing. C _enables_ you to do such thing.

          That's _handy_.

  4. The Average Joe

    internal network protection

    well if you protect your infrastructure and servers you can keep running VMware. Those VMware services are ones we use inside and do not publish that as an external accessible resource.

    Xen on the other hand, this would allow your system to be pawned! LOL

  5. Cranky_Yank

    When a cafe in a gentrification zone has a critical deserialization vulnerability, does it move to Brick ln.?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like