VMware HCX: Code smuggling possible through SQL injection gap

There is a security vulnerability in VMware HCX that allows attackers to inject and execute code. Broadcom is providing updated software that fixes the underlying bugs. IT managers should apply the update without delay.

As Broadcom warns in a security advisory, VMware HCX is affected by an SQL injection vulnerability. Authenticated users with low privileges in the system can submit manipulated SQL queries and thus smuggle unauthorized code from the network to the HCX Manager (CVE-2024-38814, CVSS 8.8, risk"high").

VMware HCX: Affected versions

The vulnerability is found in VMware HCX version branches 4.8.x, 4.9.x and 4.10.x. The now available updates to VMware HCX 4.8.3, 4.9.2 and 4.10.1 correct the security-relevant errors in the software.

The new software versions are available for download from Broadcom:

• VMware HCX 4.8.3 Download (Release-Notes)
• VMware HCX 4.9.2 Download (Release-Notes)
• VMware HCX 4.10.1 Download (Release-Notes)

As the security vulnerability with a CVSS value of 8.8 only just misses the risk classification "critical", admins should download and install the updates promptly. This reduces the attack surface.

Products from the VMware environment are a popular target for cyber criminals. At the end of July, for example, a security vulnerability in VMware ESXi was actively attacked. Microsoft had observed the attacks, but the scope remained unclear.

VMware HCX is what the provider calls an "application mobility platform". It allows workloads to be distributed across data centers and clouds through application migration.

Read also

VMware vCenter: Attackers from the network can infiltrate malicious code

In mid-September, Broadcom had to patch two security vulnerabilities in VMware's vCenter Server. These also allowed malicious actors from the network to smuggle in malicious code. Another gap led to extended rights in the system.

(dmk)