Hi All,

Configuring a new vCenter 6.7d installation and as part of this need to security scan the system. In this instance we've used OpenVAS to scan the appliance and hosts.

The scan on the vCenter has found a few interesting vulnerabilities which are:

High (CVSS: 7.5) NVT: Eclipse Jetty Server Fake Pipeline Request Security Bypass Vulnerability - CVE-2017-7658 (9084,9087 - tcp)

Medium (CVSS: 5.0) NVT: Eclipse Jetty Server InvalidPathException Information Disclosure Vulnerability - CVE-2018-12536

Medium (CVSS: 5.0) NVT: Apache Tomcat 'NIO/NIO2' Connectors Information Disclosure Vulnerability - CVE-2018-8037

Medium (CVSS: 5.0) NVT: Apache Tomcat 'UTF-8 Decoder' Denial of Service Vulnerability - CVE-2018-1336

Medium (CVSS: 5.0) NVT: Apache Tomcat 'Hostname Verification' Security Bypass Vulnerability - CVE-2018-8034

Medium (CVSS: 5.0) NVT: Apache Tomcat HTTP2 Security Bypass Vulnerability - CVE-2017-7675

Medium (CVSS: 4.3) NVT: Apache Tomcat Security Constraint Incorrect Handling Access Bypass Vulnerability's - CVE-2018-1305, CVE-2018-1304

I can't see any vMware KBs stating these have been fixed or are listed as known issues.

Does vMware publish a list of known bugs which will be addressed in future updates?

Thanks

Joe.