back to article VMware reveals critical vCenter hole it says ‘needs to be considered at once’

VMware has revealed a critical bug that can be exploited to achieve unauthenticated remote code execution in the very core of a virtualised system – vCenter Server. The culprit is the vSphere HTML5 client, which by default includes the Virtual SAN Health plugin – even if you don’t run a VMware VSAN. That plugin lacks input …

  1. Throatwarbler Mangrove Silver badge
    Alert

    Hey now

    "a justifiably unloved C# client"

    Some of us still miss the standalone client and think the Web interface(s) remain a poor substitute.

    1. chivo243 Silver badge
      Thumb Up

      Re: Hey now

      +1

      I miss the stand alone client. I won't miss the Flashy client... HTML client needs more work under the hood me thinks.

      1. Nate Amsden Silver badge

        Re: Hey now

        As a linux user since 1996 count me in the group that really misses the .NET client. I run all my vCenter stuff in vmware workstation running windows anyway(Linux host OS). I held onto vCenter 5.5 for as long as I could.

        Side note - am installing this on one of my 6.7 vCenter setups and the build number doesn't match, the ISO is VMware-vCenter-Server-Appliance-6.7.0.48000-18010531-patch-FP.iso and the actual build after installation is 18010599 (but it also says 48000 on the login screen) from the command "vpxd -v". Don't recall ever seeing a mismatch like this before myself.

        1. gerdesj Silver badge
          Paris Hilton

          Re: Hey now

          I update mine from within the vCentre itself on :5480 - a lot easier than faffing with .iso s.

          Version 6.7.0.48000 is given a Severity of critical and a Priority of Low. errr ....

          1. Anonymous Coward
            Anonymous Coward

            Re: Hey now

            If you have a vCenter HA cluster you need to use the patch ISO. You patch the witness, then the secondary node, failover and then patch what was the primary. You do this via the primary node over SSH, as they are not available on the network, only the cluster network.

            1. Nate Amsden Silver badge

              Re: Hey now

              yes sorry forgot to mention HA. vCenter HA value is questionable to me it has it's own share of issues and the failover times are absolutely terrible (for my simple setups probably takes a good 6 minutes, I understand why it takes that long due to design of the apps HA is sort of a bolt on thing instead of a design thing). Then there's the times when you have to destroy HA to upgrade with schema changes and stuff. But I hope it is better than nothing...sometimes I wonder though.

              1. Anonymous Coward
                Anonymous Coward

                Re: Hey now

                Yep, for me its around 4-5 minutes to get vcenter back up and running and responding ok. I have also wondered if its really worth running due to that. But its better than nothing if one node goes down for some reason.

                Would have been nice if vcenter itself was aware of HA and wasnt really just a bolt on and could have actually been running, just not accepting anything as a minimum (better would be both running), But that probably would have needed a rewrite of all that legacy code.

      2. Nick Ryan Silver badge

        Re: Hey now

        The standalone client just worked. It was easy and did the job.

        The Flash client was an exercise in total an utter stupidity... using something that should only ever be used to enhance parts of a website to do anything more was... inexcusable. The fact that it was only marginally less insecure than ActiveX was no excuse. No server or management system should ever have Flash enabled on it.

    2. Mr.Nobody

      Re: Hey now

      Our lives have been forever ruined by the HTML 5 client. We held on to esxi 6 as long as we could stand it.

      Writing "a justifiably unloved C# client" makes me wonder who the author spoke to that didn't like the C# client. I haven't met a person yet that doesn't long to go back to it.

  2. tip pc Silver badge

    There will be more vulnerabilities found

    Complex products, lots of different people doing different bits at different qualities.

    Likely passed validation at the time but now not up to muster.

    When you accept that problems will be found you can work on mitigation’s ahead of time so hopefully any potential problems will have a smaller impact.

  3. Claptrap314 Silver badge
    FAIL

    Flash, HTML5... WAT?

    Seriously, why on earth is it the right thing to be running something so hideously complicated at the core of your service?

    Complexity is the bane of security. Security is NOT optional.

    This thing should be running an API server. Anything else is...well, two 9.8s so far this year...

    1. KSM-AZ

      Re: Flash, HTML5... WAT?

      Remember VMwaARE 1.0 . . . Web only. Then this client that client, API is the best. I run KVM for personal. VMware for work. Just move everything to AWS, what could go wrong?

      *REALLY*! Is anyone actually exposing vcenter to the internet? Shame on you. Segment your networks, this is something that should be addressed, not a panic.

      1. Michael Wojcik Silver badge

        Re: Flash, HTML5... WAT?

        It's probably very common to have vCenter not exposed on the Internet but exposed throughout the corporate network, and only fools think their corporate network is secure. All it takes is one compromised user to let attackers onto the corporate network.

  4. Anonymous Coward
    Anonymous Coward

    "...default includes the Virtual SAN Health plugin – even if you don’t run a VMware VSAN."

    So, modern "elegant" web design.

    BTW, I can't tell what the word "plugin" means here, is it an extension or background ps for the client?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022