VMware Cloud Community
imtibd
Contributor
Contributor
‎08-27-2023 10:56 AM

How to know vulnerabilities is applicable or not.

Recently, on 22nd June VMware published advisory which ID is VMSA-2023-0014. My query is this the following version of vCenter are vulnerable 

 7.0.2 build 17958471 and 7.0.3 build 21686933.

If you explain why it is and why not it will highly appriciable. 

Reply
0 Kudos
5 Replies
Sachchidanand
Expert
Expert
‎08-29-2023 02:59 AM

All vulnerablities related to this ID is resolved in vCenter Server 7.0 Update 3m, so any version before this is vulnerable...please see release notes for the same:

https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3m-release-notes/index.ht...

https://www.vmware.com/security/advisories/VMSA-2023-0014.html

 

Regards,

Sachchidanand

Reply
maksym007
Expert
Expert
‎08-29-2023 01:20 PM

It should be also clarified inside the company what types of patches for ESXi and vCenter should be installed in a mandatory way and what types can be skipped or let's say with low priority. 

 

But for sure security patches should be installed as a MUST

Reply
muakhtar
Enthusiast
Enthusiast
‎09-05-2023 01:52 AM

VMware Skyline Health Diagnostic virtual appliance will provide the depth about the vulnerability.

Its free version just install appliance and upload the log bundle it will provide the depth report about existing esxi vulnerability

Munib Akhtar
VCP-DCV/VCP-DTM/VXRAIL
Please mark help full or correct if my answer is use full for you
Reply
markey165
Hot Shot
Hot Shot
‎09-05-2023 01:42 PM

@imtibd 

See the response matrix section in the security advisory you raised ie https://www.vmware.com/security/advisories/VMSA-2023-0014.html

For ease of reference i have copied the table below. The wording may not be entirely clear, but affected versions are show in the "Running On" column. Note the 2 entries circled state "Any" version, and the Fixed version is 7.0U3m. Therefore ALL builds prior to 7.0U3m are affected.

You quoted vCenter version 7.0.2 build 17958471. From the vCenter builds page linked below, this maps to 7.0 Update 2b (hence=affected). The second build you quoted (7.0.3 build 21686933) is an ESXi build, and is therefore not relevant to this advisory.

 

vCenter Builds - https://kb.vmware.com/s/article/2143838

 

 

markey165_0-1693946056810.png

 

HTH

 

_____________________________________________
If this post helps you, please leave Kudo | or mark this reply as an answer
Reply
Kinnison
Expert
Expert
‎09-06-2023 01:10 AM

Hello,


Excellent consideration, but the way I see it and wanting to go to go a little further this recent bulletin is only the last published in chronological order related to a vCenter object after the "availability" of version 7.0U2b (and not limited to this product line only), all of them in one way or another are objectively "applicable". But if we want, the reasons for applying product updates does not derive only from the publication of any vulnerabilities but also to prevent / remedy known defects which, sooner or later, could impact the proper functioning of our IT infrastructures.


Then everyone acts according to his policies and priorities, there is no discussion about this.


Regards,
Ferdinando

Reply
0 Kudos