Deserialization Vulnerability in VMware vRealize Automation and vSphere Integrated Containers
CVE-2017-4947

9.8CRITICAL

Key Information:

Vendor
Vmware
Status
Vrealize Automation
Vsphere Integrated Containers
Vendor
CVE Published:
29 January 2018

Summary

VMware's vRealize Automation (versions 7.2 and 7.3) and vSphere Integrated Containers (versions 1.x prior to 1.3) are affected by a deserialization vulnerability through the Xenon service. If leveraged by an attacker, this vulnerability may facilitate the execution of arbitrary code on the appliance, potentially compromising the security and integrity of the affected systems. Users are advised to patch their installations to mitigate risks associated with this issue.

Affected Version(s)

vRealize Automation 7.3 and 7.2

vSphere Integrated Containers 1.x before 1.3

References

http://www.securityfocus.com/bid/102852
vdb-entryx_refsource_BID
https://www.vmware.com/security/advisories/VMSA-2018-0006...
x_refsource_CONFIRM
http://www.securitytracker.com/id/1040289
vdb-entryx_refsource_SECTRACK

EPSS Score

27% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.