vCenter

 View Only
  • 1.  How to know vulnerabilities is applicable or not.

    Posted Aug 27, 2023 05:57 PM

    Recently, on 22nd June VMware published advisory which ID is VMSA-2023-0014. My query is this the following version of vCenter are vulnerable 

     7.0.2 build 17958471 and 7.0.3 build 21686933.

    If you explain why it is and why not it will highly appriciable. 



  • 2.  RE: How to know vulnerabilities is applicable or not.

    Posted Aug 29, 2023 09:59 AM

    All vulnerablities related to this ID is resolved in vCenter Server 7.0 Update 3m, so any version before this is vulnerable...please see release notes for the same:

    https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3m-release-notes/index.html

    https://www.vmware.com/security/advisories/VMSA-2023-0014.html

     

    Regards,

    Sachchidanand



  • 3.  RE: How to know vulnerabilities is applicable or not.

    Posted Aug 29, 2023 08:20 PM

    It should be also clarified inside the company what types of patches for ESXi and vCenter should be installed in a mandatory way and what types can be skipped or let's say with low priority. 

     

    But for sure security patches should be installed as a MUST



  • 4.  RE: How to know vulnerabilities is applicable or not.

    Posted Sep 05, 2023 08:52 AM

    VMware Skyline Health Diagnostic virtual appliance will provide the depth about the vulnerability.

    Its free version just install appliance and upload the log bundle it will provide the depth report about existing esxi vulnerability



  • 5.  RE: How to know vulnerabilities is applicable or not.

    Posted Sep 05, 2023 08:43 PM

     

    See the response matrix section in the security advisory you raised ie https://www.vmware.com/security/advisories/VMSA-2023-0014.html

    For ease of reference i have copied the table below. The wording may not be entirely clear, but affected versions are show in the "Running On" column. Note the 2 entries circled state "Any" version, and the Fixed version is 7.0U3m. Therefore ALL builds prior to 7.0U3m are affected.

    You quoted vCenter version 7.0.2 build 17958471. From the vCenter builds page linked below, this maps to 7.0 Update 2b (hence=affected). The second build you quoted (7.0.3 build 21686933) is an ESXi build, and is therefore not relevant to this advisory.

     

    vCenter Builds - https://kb.vmware.com/s/article/2143838

     

     

    markey165_0-1693946056810.png

     

    HTH

     



  • 6.  RE: How to know vulnerabilities is applicable or not.

    Posted Sep 06, 2023 08:10 AM

    Hello,


    Excellent consideration, but the way I see it and wanting to go to go a little further this recent bulletin is only the last published in chronological order related to a vCenter object after the "availability" of version 7.0U2b (and not limited to this product line only), all of them in one way or another are objectively "applicable". But if we want, the reasons for applying product updates does not derive only from the publication of any vulnerabilities but also to prevent / remedy known defects which, sooner or later, could impact the proper functioning of our IT infrastructures.


    Then everyone acts according to his policies and priorities, there is no discussion about this.


    Regards,
    Ferdinando