Security fixes for vulnerabilities affecting Apache Struts Java application framework ended up implemented in VMware’s vCenter Operations Management Suite (vCOps).
One of the flaws, identified as CVE-2014-0112, would allow remote code execution from a potential attacker; it appears the problem ended up only partially solved in CVE-2014-0094.
This security fix comes more than one month after Apache Struts received the previous patch. Its description said “ParametersInterceptor in Apache Struts before 188.8.131.52 does not properly restrict access to the getClass method, which allows remote attackers to ‘manipulate’ the ClassLoader and execute arbitrary code via a crafted request.”
Another flaw, identified as CVE-2014-0050, is less serious and, if exploited by a remote attacker, could lead to a denial-of-service condition, continuously consuming CPU resources.
All users of vCenter Operations Management Suite should update to the latest version of the suite, which at the moment is 5.8.2, researchers said.
vCOps helps automate the management of operations by using patented analytics. It can prevent performance problems by offering information about the current health, risk and efficiency of virtual and physical infrastructures, as well as of operating systems and applications.