Remote Code Execution in VMware vRealize and vCenter Products
CVE-2015-6934

7.3HIGH

Key Information:

Vendor: Vmware
Status: Vcenter Orchestrator; Vrealize Orchestrator
Vendor: CVE Published:; 21 December 2015

Summary

The vulnerability occurs in VMware's vRealize Orchestrator and related products due to improperly handled serialized objects. Attackers can exploit this weakness by sending crafted serialized Java objects that leverage the Apache Commons Collections library, potentially allowing execution of arbitrary commands on the affected systems. This could lead to unauthorized access and control over sensitive data and system functionalities. It is critical for users to ensure they are using updated versions of these products to mitigate the risk.

References

http://www.vmware.com/security/advisories/VMSA-2015-0009....

x_refsource_CONFIRM

http://www.securityfocus.com/bid/79648

vdb-entryx_refsource_BID

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 21, 2015
Vulnerability Reserved
Sep 14, 2015