Skip to main content

VMware vCenter Server updates address heap-overflow and privilege escalation vulnerabilities

TylerJurgens
Forum|alt.badge.img+7

Broadcom just released a patch for vCenter 7 and 8 that addresses two major vulnerabilities - one of which is a CVSSv3 score of 9.8:

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968

 

A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.

 

Just network access is enough to be vulnerable. Time to pull that vCenter off the internet (oh man, you aren’t actually doing that, right?) and patch it up.

 

Luckily there are patches available for vCenter version 7 and vCenter version 8 already released that address these vulnerabilities.

 

VMware vCenter Server 8.0 U3b
Downloads and Documentation:
https://support.broadcom.com/web/ecx/solutiondetails?patchId=5515
https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-vcenter-server-80u3b-release-notes/index.html

VMware vCenter Server 7.0 U3s
Downloads and Documentation:
https://support.broadcom.com/web/ecx/solutiondetails?patchId=5513
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3s-release-notes/index.html

 

Happy patching everyone!

Tyler Jurgens | Senior Technical Product Marketing Manager | Former Veeam Legend x3 | vExpert ** | VMSP/VMTSP | VCP-2020 | VSP/VTSP | Tanzu Vanguard | VMUG Calgary Leader | VUG Canada Leader | https://explosive.cloud | @Tyler_Jurgens | BlueSky: @tylerjurgens.bsky.social
Chris.Childerhose
coolsport00
marco_s
7 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • coolsport00
    coolsport00
  • marco_s
    marco_s
  • vAdmin
    vAdmin
  • dloseke
    dloseke
  • Dynamic
    Dynamic
  • leduardoserrano
    leduardoserrano

6 comments

Chris.Childerhose
Forum|alt.badge.img+21
  • Chris.Childerhose
  • Veeam Legend, Veeam Vanguard
  • 8440 comments
  • September 17, 2024

Just patched my vCenter.  Hosts tomorrow.

Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
dloseke
1 person likes this
  • dloseke
    dloseke
coolsport00
Forum|alt.badge.img+20
  • coolsport00
  • Veeam Legend
  • 4132 comments
  • September 18, 2024

Seems this has been needed a lot lately, regardless of software solution… 🤔

Thanks Tyler!

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
dloseke
1 person likes this
  • dloseke
    dloseke
vAdmin
Forum|alt.badge.img+2
  • vAdmin
  • Influencer
  • 168 comments
  • September 18, 2024

Thanks @TylerJurgens for the update.

Microsoft Azure Solutions Architect Expert, VMware Certified Professional - DCV 7, Citrix Certified Professional Virtualization (CCP-V), ITIL Practitioner
Chris.Childerhose
dloseke
2 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • dloseke
    dloseke
dloseke
Forum|alt.badge.img+8
  • dloseke
  • Veeam Vanguard
  • 1447 comments
  • September 19, 2024

FYI, I saw rumblings last night for those that were using VCSA v8 that there was some web interface stability issues after updating that necessitated clearing cookies or using incognito mode post-update.  Those using v7 were not reporting similar issues.  I expect there’s going to be a bug found/announced there and an eventual patch.

Derek M. Loseke, Senior Systems Engineer | Veeam Legend 2022-2024 | VMSP/VMTSP | VCP6-DCV | VSP/VTSP | CCNA | https://technotesanddadjokes.com | @dloseke
Chris.Childerhose
1 person likes this
  • Chris.Childerhose
    Chris.Childerhose
TylerJurgens
Forum|alt.badge.img+7
  • TylerJurgens
  • Author
  • Influencer
  • 161 comments
  • September 19, 2024
dloseke wrote:

FYI, I saw rumblings last night for those that were using VCSA v8 that there was some web interface stability issues after updating that necessitated clearing cookies or using incognito mode post-update.  Those using v7 were not reporting similar issues.  I expect there’s going to be a bug found/announced there and an eventual patch.

Broadcom has acknowledged this issue and has a KB out now to address it:
https://knowledge.broadcom.com/external/article?articleNumber=377734

Tyler Jurgens | Senior Technical Product Marketing Manager | Former Veeam Legend x3 | vExpert ** | VMSP/VMTSP | VCP-2020 | VSP/VTSP | Tanzu Vanguard | VMUG Calgary Leader | VUG Canada Leader | https://explosive.cloud | @Tyler_Jurgens | BlueSky: @tylerjurgens.bsky.social
Chris.Childerhose
1 person likes this
  • Chris.Childerhose
    Chris.Childerhose
Chris.Childerhose
Forum|alt.badge.img+21
  • Chris.Childerhose
  • Veeam Legend, Veeam Vanguard
  • 8440 comments
  • September 19, 2024
TylerJurgens wrote:
dloseke wrote:

FYI, I saw rumblings last night for those that were using VCSA v8 that there was some web interface stability issues after updating that necessitated clearing cookies or using incognito mode post-update.  Those using v7 were not reporting similar issues.  I expect there’s going to be a bug found/announced there and an eventual patch.

Broadcom has acknowledged this issue and has a KB out now to address it:
https://knowledge.broadcom.com/external/article?articleNumber=377734

Nice to see them acting on it.

Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech

Comment


Terms & Conditions