VMware vCenter Server updates address an information disclosure vulnerability


Userlevel 7
Badge +5

The following disclosure vulnerability (CVE-2022-22948) was reported to VMware by Yuval Lazar (@Ul7raVi0l3t) of Pentera. To remediate this vulnerability, apply the patch in the response matrix below as it applies to you.

 

The vCenter Server contains an information disclosure vulnerability due to improper permission of files. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.5.

Below are the affected products

  • VMware vCenter Server (vCenter Server)
  • VMware Cloud Foundation (Cloud Foundation)

An information disclosure vulnerability in VMware vCenter Server was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.

Known Attack Vectors

A malicious actor with non-administrative access to the vCenter Server may exploit this issue to gain access to sensitive information.

Resolution

To remediate CVE-2022-22948 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below the response matrix.

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
vCenter Server 7.0 Any CVE-2022-22948 5.5 Moderate  7.0 U3d None None
vCenter Server 6.7 Virtual Appliance CVE-2022-22948 5.5 Moderate  6.7 U3p None None
vCenter Server 6.7 Windows CVE-2022-22948 N/A N/A Unaffected N/A N/A
vCenter Server 6.5 Virtual Appliance CVE-2022-22948 5.5 Moderate  6.5 U3r None None
vCenter Server 6.5 Windows CVE-2022-22948 N/A N/A Unaffected N/A N/A

Impacted Product Suites that Deploy Response Matrix Components

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Cloud Foundation (vCenter Server) 4.x Any CVE-2022-22948 5.5 Moderate  Patch pending None None
Cloud Foundation (vCenter Server) 3.x Any CVE-2022-22948 5.5 Moderate  3.11 None None

You may want to learn more about this disclosure. Kindly click on the following link1, or link2.


4 comments

Userlevel 7
Badge +8

Thanks for sharing. 👍🏼

Userlevel 7
Badge +8

Interesting, thank you 😎👍🏼

Very Cool!

thanks for sharing buddy!

Userlevel 5
Badge

 VMware ESXi and vCenter Server updates address multiple security vulnerabilities (CVE-2022-31680, CVE-2022-31681)

 

The vCenter Server contains an unsafe deserialisation vulnerability in the  Platform services controller updates are on 6th October 2022  More Insightful details can be found in the below link 

 

https://www.vmware.com/security/advisories/VMSA-2022-0025.html

Comment