topic Re: How to know vulnerabilities is applicable or not. in vCenter™ Server Discussions

How to know vulnerabilities is applicable or not.

imtibd — Sun, 27 Aug 2023 17:56:44 GMT

Recently, on 22nd June VMware published advisory which ID is VMSA-2023-0014. My query is this the following version of vCenter are vulnerable

7.0.2 build 17958471 and 7.0.3 build 21686933.

If you explain why it is and why not it will highly appriciable.

Re: How to know vulnerabilities is applicable or not.

Sachchidanand — Tue, 29 Aug 2023 09:59:18 GMT

All vulnerablities related to this ID is resolved in vCenter Server 7.0 Update 3m, so any version before this is vulnerable...please see release notes for the same:

https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3m-release-notes/index.html

https://www.vmware.com/security/advisories/VMSA-2023-0014.html

Regards,

Sachchidanand

Re: How to know vulnerabilities is applicable or not.

maksym007 — Tue, 29 Aug 2023 20:20:00 GMT

It should be also clarified inside the company what types of patches for ESXi and vCenter should be installed in a mandatory way and what types can be skipped or let's say with low priority.

But for sure security patches should be installed as a MUST

Re: How to know vulnerabilities is applicable or not.

muakhtar — Tue, 05 Sep 2023 08:52:07 GMT

VMware Skyline Health Diagnostic virtual appliance will provide the depth about the vulnerability.

Its free version just install appliance and upload the log bundle it will provide the depth report about existing esxi vulnerability

Re: How to know vulnerabilities is applicable or not.

markey165 — Tue, 05 Sep 2023 20:44:49 GMT

@imtibd

See the response matrix section in the security advisory you raised ie https://www.vmware.com/security/advisories/VMSA-2023-0014.html

For ease of reference i have copied the table below. The wording may not be entirely clear, but affected versions are show in the "Running On" column. Note the 2 entries circled state "Any" version, and the Fixed version is 7.0U3m. Therefore ALL builds prior to 7.0U3m are affected.

You quoted vCenter version 7.0.2 build 17958471. From the vCenter builds page linked below, this maps to 7.0 Update 2b (hence=affected). The second build you quoted (7.0.3 build 21686933) is an ESXi build, and is therefore not relevant to this advisory.

vCenter Builds - https://kb.vmware.com/s/article/2143838

HTH

Re: How to know vulnerabilities is applicable or not.

Kinnison — Wed, 06 Sep 2023 08:10:19 GMT

Hello,

Excellent consideration, but the way I see it and wanting to go to go a little further this recent bulletin is only the last published in chronological order related to a vCenter object after the "availability" of version 7.0U2b (and not limited to this product line only), all of them in one way or another are objectively "applicable". But if we want, the reasons for applying product updates does not derive only from the publication of any vulnerabilities but also to prevent / remedy known defects which, sooner or later, could impact the proper functioning of our IT infrastructures.

Then everyone acts according to his policies and priorities, there is no discussion about this.

Regards,
Ferdinando