VMware updated its Horizon View Client and vSphere Data Protection (VDP) products to fix three critical and important vulnerabilities.
VDP versions 5.5.x, 5.8.x, 6.0.x and 6.1.x suffer from two critical Java deserialization and credentials management flaws.
The deserialization issue, CVE-2017-4914, came to VMware from Tim Roberts, Arthur Chilipweli and Kelly Correll of NTT Security.
The flaw can end up exploited remotely to execute arbitrary commands on vulnerable appliances, VMware said.
The second vulnerability affecting VDP is CVE-2017-4917 and it came to VMware from Marc Ströbel (aka phroxvs) from HvS-Consulting. The locally stored vCenter Server credentials are poorly encrypted, allowing an attacker to obtain the information in plaintext.
Users of the affected product should update their installations to versions 6.0.5 or 6.1.4.
In addition, there was an important command injection vulnerability affecting the VMware Horizon View Client for Mac.
Florian Bogner of Kapsch BusinessCom AG found the application has a command injection flaw in the service status script. An unprivileged user can exploit the vulnerability to escalate privileges to root on the vulnerable Mac OS X system, VMware said.
The flaw, CVE-2017-4918, affects View Client versions 2.x, 3.x and 4.x and it ended up patched with version 4.5.