VMware vCenter Server updates address an important reflected cross-site scripting issue

3.a Commons-collections deserialization vulnerability

A deserialization vulnerability involving Apache Commons-collections and a specially constructed chain of classes exists. Successful exploitation could result in remote code execution, with the permissions of the application using the Commons-collections library.

VMware would like to thank Jacob Baines of Tenable Network Security for reporting that the vRealize Operations appliance is affected.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-6934 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.