Patch now, vAdmins: that's the message from VMware after it revealed a "critical security issue in the VMware Client Integration Plugin."
Said plugin, VMware says, "does not handle session content in a safe way."
"This may allow for a Man-in-the-Middle attack or Web session hijacking in case the user of the vSphere Web Client visits a malicious Web site."
You'll need to get this sorted if you're running vCenter Server 6.0, vCenter Server 5.5 U3a, U3b, U3c, vCloud Director 5.5.5 or the vRealize Automation Identity Appliance 6.2.4, as they all shipped with the offending plugin.
Fixing the flaw is non-trivial, as you'll need to repair both the client and server sides – so upgrades to vCenter, vCloud Director or vRealize are the first step; next comes an upgrade of the plugin so the client is protected. At which point we imagine more than a few organisations will start to wish they had a proper inventory describing all workstations on which the plugin has been installed.
One small ray of sunshine can be seen in VMware's efforts to start offering HTML5 clients. As if world+dog needed another reminder of how badly plugins – cough Flash, cough Java – have messed up security. ®