Plain Virtualization

Another high rating of CVSSv3 of 9.8 was released here on VMware Cloud Director appliance. For those not aware, the virtual appliance is a prepackaged virtual machine with added configuration bedded in for easy deployment. This time it is due to authentication bypass vulnerability which allows a user to bypass authenticating on port 22 (ssh) or port 5480 after upgraded to version 10.5 from a previously older version. To resolve this, the updated kb has been released and it provide a script for the workaround to fix this. Do note that this affect only VMware Cloud Director version 10.5 which was upgraded from older version. Not on new deployment or other versions.

VMware has release a security advisory regarding vCenter Server. You can refer  here . This advisory is to address CVE-2023-34048 and CVE-2023-34056 which has a score on CVSSv3 of 9.8 and 4.3. This applies to vCenter Server version 7.x and 8.x which also affect VCF 3.x and 4.x which uses these vCenter Server version. The resolution is to apply the fixed version released. Do read carefully if there are any caveats for any particular build when you are updating. All of the above has been summarize in this  article  which was released on 24th October. Do take some time to read it and understand the risk and impact.

VMware has release a security advisory on a vulnerability on VMware Carbon Black App Control. This comes with a CVSSv3 Range of 9.1. This allow an attacker to gain priviledge access of the operation system that Carbon Black App Control is running on. The fixed has been prompt and it readily available for download.  It is recommended to patch this up if you are using this product. Refer to  https://www.vmware.com/security/advisories/VMSA-2023-0004.html  for more information.

With the recent Heartbleed security issue on software which utilized the OpenSSL version 1.0.1.  As of 20th April 2014, VMware has release all Security Advisory of all affected producted as listed here .  Products that are utilizing OpenSSL below 1.0.1 are not affected as listed. VMware has put in great effort to release all these security patches since the discovery announced on 14th April 2014 and release of the first patch on the day after. The advice is to at least apply all security advisory as recommended at soonest to avoid any security breach.