Hi All,
Configuring a new vCenter 6.7d installation and as part of this need to security scan the system. In this instance we've used OpenVAS to scan the appliance and hosts.
The scan on the vCenter has found a few interesting vulnerabilities which are:
High (CVSS: 7.5) NVT: Eclipse Jetty Server Fake Pipeline Request Security Bypass Vulnerability - CVE-2017-7658 (9084,9087 - tcp)
Medium (CVSS: 5.0) NVT: Eclipse Jetty Server InvalidPathException Information Disclosure Vulnerability - CVE-2018-12536
Medium (CVSS: 5.0) NVT: Apache Tomcat 'NIO/NIO2' Connectors Information Disclosure Vulnerability - CVE-2018-8037
Medium (CVSS: 5.0) NVT: Apache Tomcat 'UTF-8 Decoder' Denial of Service Vulnerability - CVE-2018-1336
Medium (CVSS: 5.0) NVT: Apache Tomcat 'Hostname Verification' Security Bypass Vulnerability - CVE-2018-8034
Medium (CVSS: 5.0) NVT: Apache Tomcat HTTP2 Security Bypass Vulnerability - CVE-2017-7675
Medium (CVSS: 4.3) NVT: Apache Tomcat Security Constraint Incorrect Handling Access Bypass Vulnerability's - CVE-2018-1305, CVE-2018-1304
I can't see any vMware KBs stating these have been fixed or are listed as known issues.
Does vMware publish a list of known bugs which will be addressed in future updates?
Thanks
Joe.