Skip to main content
  • EN

Broadcom just released a patch for vCenter 7 and 8 that addresses two major vulnerabilities - one of which is a CVSSv3 score of 9.8:

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968

 

A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.

 

Just network access is enough to be vulnerable. Time to pull that vCenter off the internet (oh man, you aren’t actually doing that, right?) and patch it up.

 

Luckily there are patches available for vCenter version 7 and vCenter version 8 already released that address these vulnerabilities.

 

VMware vCenter Server 8.0 U3b
Downloads and Documentation:
https://support.broadcom.com/web/ecx/solutiondetails?patchId=5515
https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-vcenter-server-80u3b-release-notes/index.html

VMware vCenter Server 7.0 U3s
Downloads and Documentation:
https://support.broadcom.com/web/ecx/solutiondetails?patchId=5513
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3s-release-notes/index.html

 

Happy patching everyone!

Just patched my vCenter.  Hosts tomorrow.

Seems this has been needed a lot lately, regardless of software solution… 🤔

Thanks Tyler!

Thanks @TylerJurgens for the update.

FYI, I saw rumblings last night for those that were using VCSA v8 that there was some web interface stability issues after updating that necessitated clearing cookies or using incognito mode post-update.  Those using v7 were not reporting similar issues.  I expect there’s going to be a bug found/announced there and an eventual patch.

FYI, I saw rumblings last night for those that were using VCSA v8 that there was some web interface stability issues after updating that necessitated clearing cookies or using incognito mode post-update.  Those using v7 were not reporting similar issues.  I expect there’s going to be a bug found/announced there and an eventual patch.

Broadcom has acknowledged this issue and has a KB out now to address it:
https://knowledge.broadcom.com/external/article?articleNumber=377734

FYI, I saw rumblings last night for those that were using VCSA v8 that there was some web interface stability issues after updating that necessitated clearing cookies or using incognito mode post-update.  Those using v7 were not reporting similar issues.  I expect there’s going to be a bug found/announced there and an eventual patch.

Broadcom has acknowledged this issue and has a KB out now to address it:
https://knowledge.broadcom.com/external/article?articleNumber=377734

Nice to see them acting on it.

Comment


Terms & Conditions