CVE-2019-5534

Name of the Vulnerable Software and Affected Versions VMware vCenter Server versions 6.0 prior to 6.0 U3j VMware vCenter Server versions 6.5 prior to 6.5 U3 VMware vCenter Server versions 6.7.x prior to 6.7 U3

Description The issue is related to insufficient protection of registration data in the vAppConfig properties of VMware vCenter Server, which can lead to information disclosure. A remote attacker may exploit this to gain access to user credentials. Specifically, virtual machines deployed from an OVF can expose login information via the virtual machine's vAppConfig properties, potentially allowing a malicious actor to view the credentials used to deploy the OVF, typically the root account of the virtual machine.

Recommendations For versions 6.0 prior to 6.0 U3j, update to 6.0 U3j or later to resolve the issue. For versions 6.5 prior to 6.5 U3, update to 6.5 U3 or later to resolve the issue. For versions 6.7.x prior to 6.7 U3, update to 6.7 U3 or later to resolve the issue. As a temporary workaround, consider restricting access to the vAppConfig properties of virtual machines deployed from an OVF to minimize the risk of exploitation.