VMware has plugged a critical security issue in the VMware Client Integration Plugin, which could allow for a Man in the Middle attack or web session hijacking in case the user of the vSphere Web Client visits a malicious website.
The vulnerability (CVE-2016-2076) is due to incorrect session handling, and could lead to disclosure of sensitive information.
The buggy plugin is found in vCenter Server 6.0 (any 6.0 version prior to 6.0 U2), vCenter Server 5.5 U3a, U3b, U3c, vCloud Director 5.5.5, and vRealize Automation Identity Appliance 6.2.4.
“In order to remediate the issue, both the server side (i.e. vCenter Server, vCloud Director, and vRealize Automation Identity Appliance) and the client side (i.e. CIP of the vSphere Web Client) will need to be updated,” VMware has explained in an advisory.
No additional details about the vulnerability have been shared, but it’s likely not being exploited in the wild, as the company would surely say so if it is.
Nevertheless, updating affected installations as soon as possible is a good idea.