CVE-2015-6934

moderate-risk
Published 2015-12-21

Serialized-object interfaces in VMware vRealize Orchestrator 6.x, vCenter Orchestrator 5.x, vRealize Operations 6.x, vCenter Operations 5.x, and vCenter Application Discovery Manager (vADM) 7.x allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.

Do I need to act?

~
1.8% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.3/10 High
NETWORK / LOW complexity

Affected Products (7)

Vcenter Orchestrator
Vcenter Orchestrator
Vcenter Orchestrator
Vrealize Orchestrator
Vcenter Orchestrator
Vrealize Orchestrator
Vrealize Orchestrator

Affected Vendors

Vmware

References (4)

http://www.securityfocus.com/bid/79648
Vendor Advisory http://www.vmware.com/security/advisories/VMSA-2015-0009.html
http://www.securityfocus.com/bid/79648
Vendor Advisory http://www.vmware.com/security/advisories/VMSA-2015-0009.html
45
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 5/34 · Minimal
Exposure 14/34 · Moderate