Early this morning VMware released vCenter Server 7.0U3i, (plus an update/patch to ESXi, vCenter and vCF for versions 7.0, 6.7 and 6.5) which delivers a few vCenter Server fixes (Tanzu and Photon OS updates) and at the same time addresses multiple security vulnerabilities (CVE-2022-31696, CVE-2022-31697, CVE-2022-31698, CVE-2022-31699).
Here’s the link to the release notes for 7.0U3i: VMware vCenter Server 7.0 Update 3i Release Notes
As far as the new SA (security advisory), check out all the information here: https://www.vmware.com/security/advisories/VMSA-2022-0030.html
There is no known workaround, and the recommendation is to install the patched version of vCenter, ESXi and vCF.
A quick summary:
CVE-2022-31696 addresses an issue where VMware ESXi contains a memory corruption vulnerability that exists in the way it handles a network socket
CVE-2022-31697 addresses an issue where vCenter Server contains an information disclosure vulnerability due to the logging of credentials in plaintext.
CVE-2022-31698 addresses an issue where vCenter Server contains a denial-of-service vulnerability in the content library service
CVE-2022-31699 addresses a heap-overflow vulnerability contained in VMware ESXi.
The new versions are: vCenter server 7.0 U3i, 6.7.0 U3s, 6.5 U3u, ESXi 7.0 U3i, 6.7.0 U3s, 6.5 U3u. If you are running vCF, take a look at this KB: Guidelines to address multiple security vulnerabilities for VCF 3.x, VCF 4.3.x, VCF 4.4.x and VCF 4.5 releases by VMSA-2022-0030 (vmware.com)
Note, vCenter v8, ESXi v8 are not impacted. that vCenter server 6.7 and 6.5 are end-of-life.
For any more information, refer to https://www.vmware.com/security/advisories
Thanks all, and happy updating!
Disclaimer: The views expressed anywhere on this site are strictly mine and not the opinions and views of VMware.
Leave a Reply