VMware has issued the highest Common Vulnerability Scoring System 3 (CVSSv3) rating, 10.0, on a vulnerability (CVE-2020-3952) found on its VMware vCenter Server version 6.7 software. VMware now has a patch to address this vulnerability, and administrators are urged to install the patch as soon as possible.
The vulnerability is located within the VMware Directory service (vmdir), in which it does not properly implement access controls. This can allow a malicious actor to exploit vmdir and gain access to information that can be used to compromise vCenter Server – the centralized management software that allows administrators to manage all instances of virtual machines, ESXi hosts, virtual servers, and vMotion.
As a result, VMware has deemed this to be a critical advisory (VMSA-2020-0006) and allocated to it the highest CVSSv3 rating of 10.0.
To resolve the issue, VMware has released a patch, vCenter Server version 6.7u3f, that serves to address this vulnerability. All instances of vCenter Server version 6.7, in both the virtual appliance and Windows versions, are strongly urged to install this patch as soon as possible.
Note that vCenter Server versions 6.5 and 7.0 remain unaffected by this vulnerability.
Update your vCenter Server versions 6.7 immediately! This recently identified vulnerability enables malicious actors to compromise the very core of your virtual server environment, resulting in devastating consequences for your production environment and critical servers.
These same malicious actors can then bring down your production and business-critical servers, adversely affecting your operations. Additionally, they have the ability to then access your virtual machines or intercept any inter-server communications, gaining access to your critical and sensitive data.
IBM is changing the terms of its ubiquitous Passport Advantage agreement to remove entitled discounts on over 5,000 on-premises software products, resulting in an immediate price increase for IBM Software & Support (S&S) across its vast customer landscape.
A Citrix vulnerability first discovered on December 17, 2019 is being continually exploited by ransomware attackers despite patching attempts by Citrix.
Project Zero is changing its vulnerability disclosure policy to give software developers more time to patch vulnerabilities. The policy is now shifted to a stringent 90-day policy.
Cybersecurity firm Bishop Fox identified eight vulnerabilities in ConnectWise’s remote control and remote access software.
Announced on December 31, 2019, BeyondTrust named Tenable as the successor to its Vulnerability Management suite.
On January 15, 2020, the Department of Defense (DoD) issued an open call to vendors to fulfill a contract to help improve their technology and inventory management.
ServiceNow version New York has entered General Availability. These features should delight high-maturity IT departments but are mostly worthless for low-maturity groups.
SolarWinds has announced updates to its IT operations management suite of products. These updates will improve users’ ability to monitor, manage, and secure hybrid operations.
Quest Software has announced its newest updates, KACE SDA 7.0 and KACE SMA 9.1, which enhance their features, apply Linux scripted installs, and automate systems management.