Plain Virtualization

Broadcom has release an update to address the below two vulnerabilities. This affect vCenter Server 7.x and 8.x. VMware vCenter Server heap-overflow vulnerability (CVE-2024-38812) This carries a CVSSv3 score of 9.8 VMware vCenter privilege escalation vulnerability (CVE-2024-38813) This carries a CVSSv3 score of 7.5. Both are addressed with resolution with a new binary update for vCenter Server 7U3s and vCenter Server 8U3b. This will affect any VCF 4.x and 5.x which contains either vCenter Server 7.x or 8.x. It is always recommended to get this updated as soon as possible with such rare critical severity. Check out this article for more information.

Another high rating of CVSSv3 of 9.8 was released here on VMware Cloud Director appliance. For those not aware, the virtual appliance is a prepackaged virtual machine with added configuration bedded in for easy deployment. This time it is due to authentication bypass vulnerability which allows a user to bypass authenticating on port 22 (ssh) or port 5480 after upgraded to version 10.5 from a previously older version. To resolve this, the updated kb has been released and it provide a script for the workaround to fix this. Do note that this affect only VMware Cloud Director version 10.5 which was upgraded from older version. Not on new deployment or other versions.

If you are using Aria Operations for Networks, you might want to take note of this vulnerabilities and get it patch up as soon as possible. This carries a CVSSv3 rating up to 9.8 which is a very critical rating. It allows an attacker to be able to access and gain access to information from Aria Operations for Networks. Do check out the securities advisories for the fixed version and act accordingly.

Many might have been raised alert on the recent vCenter Server vulnerability which was raised as a 9.8/10 scale rating. One of it can be found here  reported on Feb 23rd. If you have subscribe to VMware Security advisory, you would have received this information VMSA–2021–0002 . I would strongly encourage anyone who is using VMware solution to subscribe to VMware Securities Advisories so as to be kept informed of any security information. If you have refer to VMSA-2021-002, vCenter Server version 7.0 U1c was updated in Dec 17th, 6.7 U3I Nov 19th and lastly 6.5 U3N Feb 23rd one day after the report. If you have been up to date, you would have been protected way before the report was announced. The only version was 6.5 which was release a day after, but based on the report, it was a one day turn around which is still impressive. Also this is very critical for vCenter Server that are connected to the internet. However, this case would be minimal as most customer would not have place t...