Does anyone know if I can safely upgrade from vCenter 6.7 update 3p to vCenter 7.0 Update 3d?
People running vCenter Server 6.5 Update 3r and vCenter Server 6.7 Update 3p could not upgrade to vCenter Server 7.0 Update 3c because of the following note in the release note:
| 6.5 Update 3r | 6.7 Update 3p | 7.0 Update 3c | CVEs exposed |
Apache Tomcat | 8.5.68 | 8.5.68 | 8.5.63, 8.5.66 | CVE-2021-41079 (7.5) |
Eclipse Jetty | 9.4.43 | 9.4.39 | 9.4.39 | CVE-2021-34429 (5.0) |
cURL | 7.78.0 | 7.78.0 | 7.75.0 | CVE-2021-22897 (5.3) |
OpenSSL library | 1.0.2za | 1.0.2za | 1.0.2y | CVE-2021-3712 (7.4) |
Oracle (Sun) JRE and JDK | 1.8.0_301 | 1.8.0_301 | 1.8.0_291 | CVE-2021-2388(5.1) |
SQLite | 3.34.1 | 3.34.0 | 3.33.0 | CVE-2021-20227(5.5) |
VMware has just released vCenter 7.0 update 3d but the release note did not state whether or not these issues were resolved.
Does anyone know one way or the other?
Ciao
The vCenter 7.0u3d have:
Security Issues
cURL is updated to version 7.79.1.
Eclipse Jetty is upgraded to version jetty-9.4.43.v20210629.
The Oracle (Sun) JRE package is updated to version 1.8.0_311.
The Apache Tomcat server is updated to versions 8.5.68 and 9.0.50.
The OpenSSL library is updated to version 1.0.2za.
The SQLite database is updated to version 3.36.0.
Apache log4j is updated to version 2.17.1.
Apache Struts is updated to version 2.5.28.3
VMware vCenter Server 7.0 Update 3d Release Notes
which are higher or equal versions than those present in the 7u3p.
So I guess there should be no more vulnerabilities.
Ciao
The vCenter 7.0u3d have:
Security Issues
cURL is updated to version 7.79.1.
Eclipse Jetty is upgraded to version jetty-9.4.43.v20210629.
The Oracle (Sun) JRE package is updated to version 1.8.0_311.
The Apache Tomcat server is updated to versions 8.5.68 and 9.0.50.
The OpenSSL library is updated to version 1.0.2za.
The SQLite database is updated to version 3.36.0.
Apache log4j is updated to version 2.17.1.
Apache Struts is updated to version 2.5.28.3
VMware vCenter Server 7.0 Update 3d Release Notes
which are higher or equal versions than those present in the 7u3p.
So I guess there should be no more vulnerabilities.
Thank you Fabio.
Yesterday's release note showed only updates for cURL, Eclipse Jetty and Oracle JRE. Looks like they updated it over night.
Thanks again