VMware has let it be known that its vRealize Orchestrator, vRealize Operations, vCenter Operations and vCenter Application Discovery Manager products all need fixing to harden them against “a critical deserialization vulnerability”.
The flaw involves “Apache Commons-collections and a specially constructed chain of classes” and can result in “result in remote code execution, with the permissions of the application using the Commons-collections library.”
vRealize Orchestrator 6.x can be cured with this fix, while vCenter Orchestrator's inoculation is yours for the taking here for version 5.x. Patches for vRealize Operations and vCenter operations are on the way, a more-or-less acceptable delay because the exploitation is limited to local users. vCenter Application Discovery Manager's patch is pending.
Administrators of virtualised systems are copping it in the week before the holiday season, as the Xen Project has also popped out some patches. XSE-164 could see nasty escalation of the qemu process, XSA-165 might make it possible to retrieve encryption keys from a Xen-powered rig and XSA-166 offers privilege escalation possibilities. ®