Plain Virtualization

Broadcom has release an update to address the below two vulnerabilities. This affect vCenter Server 7.x and 8.x. VMware vCenter Server heap-overflow vulnerability (CVE-2024-38812) This carries a CVSSv3 score of 9.8 VMware vCenter privilege escalation vulnerability (CVE-2024-38813) This carries a CVSSv3 score of 7.5. Both are addressed with resolution with a new binary update for vCenter Server 7U3s and vCenter Server 8U3b. This will affect any VCF 4.x and 5.x which contains either vCenter Server 7.x or 8.x. It is always recommended to get this updated as soon as possible with such rare critical severity. Check out this article for more information.

VMware has release a security advisory regarding vCenter Server. You can refer  here . This advisory is to address CVE-2023-34048 and CVE-2023-34056 which has a score on CVSSv3 of 9.8 and 4.3. This applies to vCenter Server version 7.x and 8.x which also affect VCF 3.x and 4.x which uses these vCenter Server version. The resolution is to apply the fixed version released. Do read carefully if there are any caveats for any particular build when you are updating. All of the above has been summarize in this  article  which was released on 24th October. Do take some time to read it and understand the risk and impact.

If you are using Aria Operations for Networks, you might want to take note of this vulnerabilities and get it patch up as soon as possible. This carries a CVSSv3 rating up to 9.8 which is a very critical rating. It allows an attacker to be able to access and gain access to information from Aria Operations for Networks. Do check out the securities advisories for the fixed version and act accordingly.

VMware has release a security advisory on a vulnerability on VMware Carbon Black App Control. This comes with a CVSSv3 Range of 9.1. This allow an attacker to gain priviledge access of the operation system that Carbon Black App Control is running on. The fixed has been prompt and it readily available for download.  It is recommended to patch this up if you are using this product. Refer to  https://www.vmware.com/security/advisories/VMSA-2023-0004.html  for more information.

A happy new year to everyone. Hopefully this year will be a great year for everyone. To start off my first blog article of the year, was to bring attention to vRealize Log Insight which need to be updated to fixed the latest vulnerability. Particularly two of which has a CVSSv3 rating of 9.8. Though there is no report of any security related incident due to this vulnerability, it is still highly recommend to patch up the tool before any happens. It is also great to see VMware been active on identifying and releasing the patch before any report of such incident actually happens. Do check out VMSA-2023-0001 to read more about it the two which has the 9.8 rating score.

If you have not follow, here is an article published today at the same time of release of VMSA-2022-0014 which contain a rating for CVSSv3 between 7.8 to 9.8. This impact the use of Workspace One Access on its own in Workspace One or together with other products such as vRA, VCF, and vRSLCM. It is recommended and advised to patch this immediately.

If you are running VMware Identity Manager (vIDM) which comes from Workspace One known as Workspace One Access or in vRealize Automation (vRA), this is something you need to take note and action right now. The security advisories with a CVSSv3 rating of more than 9 is been release and it is best to update to the fixed version. Since this is used for SSO access and all many users will be leveraging this, to avoid serious impact it is best to apply the fixed at soonest. Refer to VMSA-2022-001 .

VMware just release a security advisory,  VMSA-2022-0008 on VMware Carbon Black App Control with a rating for CVSSv3 of 9.1. This addresses two CVE, CVE-2022-22951 and CVE-2022-22952. Both CVEs are addressed via the release patch. As always, do apply them soonest.

Early this morning 11th Dec 2021, SGT, VMware has release a security advisory announcement for  VMSA-2021-0028 regarding a critical vulnerability in Apache Log4j identified by CVE-2021-44228 with a CVSSv3 full score rating of 10. Immediately, VMware has worked on several of the affected products that are affected with workaround or patches. As this is a full score rating, we likely to see VMware update workaround at least and release patches in the next few days. Do check back the page to see more updates. Do note that this is not a vulnerability specific to VMware. This is an Apache vulnerability. It is affecting all solutions that uses Apache. So do check out your environment and ensure all solutions used in your environment that do contain Apache Log4j is worked on. A FAQ site is also release for those with questions regarding this. If you are not aware do subscribe to VMware Security Advisory.