VMware has warned of a bug that only impacts service providers.
The flaw is present in vCloud Director, the tool VMware offers to its partners “to operate and manage successful cloud-service businesses”. vCloud Director makes that possible by facilitating creation of virtual data centres for a service provider’s clients.
But as security advisory VMSA-2019-0004 warns, the product contains “a Remote Session Hijack vulnerability in the Tenant and Provider Portals.
And it's a bad one: “Successful exploitation of this issue may allow a malicious actor to access the Tenant or Provider Portals by impersonating a currently logged in session.”
Accessing the Partner Portal sounds terrifying, given that vCloud Director lets a service provider define a client’s entire private cloud.
Fortunately, the problem only impacts version 9.5.x of the tool, and VMware has released version 220.127.116.11 to fix it. But that still leaves service providers with an upgrade to do.
Which is why CRN has written this story on Saturday morning – an act of solidarity with readers who lose a slice of their weekends hack-proofing their VMware infrastructure!