vCenter

 View Only

 vCenter builds and advisory

Arseny Sukhanov's profile image
Arseny Sukhanov posted Nov 08, 2024 11:43 AM

I have been researching several recent vCenter advisory and build numbers, viz:

1. VMSA-2024-0019 for vulnerabilities CVE-2024-38812, CVE-2024-38813 fix is available in version 8.0 U3d (build: 24322831) and 8.0 U2e (build: 24321653)

2. VMSA-2024-0012: for vulnerabilities CVE-2024-37079, CVE-2024-37080 a patch is available in version 8.0 U2d (build: 23929136) and 8.0 U1e (build: 24005165).

However, the official FAQ states, “Which versions or builds are affected by these issues? Problems occur if you are using any version of vCenter prior to the patched versions specified by VMSA.”

But for VMSA-2024-0019, the higher build is 8.0 U3d (build: 24322831), and it turns out that the fix 8.0 U2e (build: 24321653) doesn't fix the CVE? 

And for VMSA-2024-0012 and to fix CVE-2024-37079, CVE-2024-37080 I need to install the higher build 8.0 U1e (build: 24005165)?

Or is it the other way around - builds with numbers above the minimum >= 8.0 U2e (build: 24321653) >= 8.0 U2d (build: 23929136) are no longer affected by this CVE?