VMware vSphere

 View Only

 vCenter builds and advisory

Arseny Sukhanov's profile image
Arseny Sukhanov posted Nov 08, 2024 11:43 AM

I have been researching several recent vCenter advisory and build numbers, viz:

1. VMSA-2024-0019 for vulnerabilities CVE-2024-38812, CVE-2024-38813 fix is available in version 8.0 U3d (build: 24322831) and 8.0 U2e (build: 24321653)

2. VMSA-2024-0012: for vulnerabilities CVE-2024-37079, CVE-2024-37080 a patch is available in version 8.0 U2d (build: 23929136) and 8.0 U1e (build: 24005165).

However, the official FAQ states, “Which versions or builds are affected by these issues? Problems occur if you are using any version of vCenter prior to the patched versions specified by VMSA.”

But for VMSA-2024-0019, the higher build is 8.0 U3d (build: 24322831), and it turns out that the fix 8.0 U2e (build: 24321653) doesn't fix the CVE? 

And for VMSA-2024-0012 and to fix CVE-2024-37079, CVE-2024-37080 I need to install the higher build 8.0 U1e (build: 24005165)?

Or is it the other way around - builds with numbers above the minimum >= 8.0 U2e (build: 24321653) >= 8.0 U2d (build: 23929136) are no longer affected by this CVE?

Andrea Consalvi's profile image
Andrea Consalvi posted Mar 17, 2025 07:18 AM

Hey Arseny,

For VMSA-2024-0019, if the fix is officially listed for 8.0 U3d (build: 24322831) and 8.0 U2e (build: 24321653), then any newer build (like U3d) should already include the fix from U2e. So no, you don’t necessarily need to install both U3d is already covered.

Same thing for VMSA-2024-0012: if 8.0 U2d (build: 23929136) and 8.0 U1e (build: 24005165) are mentioned as patched, any build higher than these should also include the fix.

So yeah, it’s more like any build equal to or higher than the ones listed in the advisory is safe you don’t need to worry about skipping updates as long as you’re on a newer build.