Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1346.3
VMware vCenter Server updates address an information
disclosure vulnerability
30 March 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: vCenter Server and Cloud Foundation
Publisher: VMware
Operating System: Virtualisation
VMware ESX Server
Resolution: Patch/Upgrade
CVE Names: CVE-2022-22948
Original Bulletin:
https://www.vmware.com/security/advisories/VMSA-2022-0009.html
Comment: CVSS (Max): 5.5 CVE-2022-22948 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVSS Source: VMware
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Revision History: March 30 2022: Fixed format
March 30 2022: Fixed bulletin number
March 30 2022: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Moderate
Advisory ID: VMSA-2022-0009
CVSSv3 Range: 5.5
Issue Date: 2022-03-29
Updated On: 2022-03-29 (Initial Advisory)
CVE(s): CVE-2022-22948
Synopsis: VMware vCenter Server updates address an information disclosure
vulnerability (CVE-2022-22948)
1. Impacted Products
o VMware vCenter Server (vCenter Server)
o VMware Cloud Foundation (Cloud Foundation)
2. Introduction
An information disclosure vulnerability in VMware vCenter Server was privately
reported to VMware. Updates are available to remediate this vulnerability in
affected VMware products.
3. vCenter Server information disclosure vulnerability (CVE-2022-22948)
Description
The vCenter Server contains an information disclosure vulnerability due to
improper permission of files. VMware has evaluated the severity of this issue
to be in the Moderate severity range with a maximum CVSSv3 base score of 5.5 .
Known Attack Vectors
A malicious actor with non-administrative access to the vCenter Server may
exploit this issue to gain access to sensitive information.
Resolution
To remediate CVE-2022-22948 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Notes
None.
Acknowledgements
VMware would like to thank Yuval Lazar (@Ul7raVi0l3t) of Pentera for reporting
this issue to us.
Response Matrix:
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
vCenter 7.0 Any CVE-2022-22948 5.5 moderate 7.0 U3d None None
Server
vCenter 6.7 Virtual CVE-2022-22948 5.5 moderate 6.7 U3p None None
Server Appliance
vCenter 6.7 Windows CVE-2022-22948 N/A N/A Unaffected N/A N/A
Server
vCenter 6.5 Virtual CVE-2022-22948 5.5 moderate 6.5 U3r None None
Server Appliance
vCenter 6.5 Windows CVE-2022-22948 N/A N/A Unaffected N/A N/A
Server
Impacted Product Suites that Deploy Response Matrix Components:
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
Cloud
Foundation 4.x Any CVE-2022-22948 5.5 moderate Patch None None
(vCenter pending
Server)
Cloud
Foundation 3.x Any CVE-2022-22948 5.5 moderate 3.11 None None
(vCenter
Server)
4. References
Fixed Version(s) and Release Notes:
vCenter Server 7.0 U3d
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC70U3D&
productId=974&rPId=74352
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/
vsphere-vcenter-server-70u3d-release-notes.html
vCenter Server 6.7 U3p
Downloads and Documentation:
https://customerconnect.vmware.com/en/downloads/details?downloadGroup=VC67U3P&
productId=742&rPId=78421
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/
vsphere-vcenter-server-67u3p-release-notes.html
vCenter Server 6.5 U3r
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC65U3R&
productId=614&rPId=74057
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/
vsphere-vcenter-server-65u3r-release-notes.html
VMware Cloud Foundation 3.11
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.11/rn/
VMware-Cloud-Foundation-311-Release-Notes.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22948
FIRST CVSSv3 Calculator:
CVE-2022-22948: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/
PR:L/UI:N/S:U/C:H/I:N/A:N
5. Change Log
2022-03-29 VMSA-2022-0009
Initial security advisory.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYkP9AONLKJtyKPYoAQifDQ/9Gp+Cp4DTfpp7AL4Dkhs6oq3A3CnFILtJ
pxhMSCY8Du5zrCQW4tZJUP3f6i3tXKxVQczD3j6LTysqJs+xdbGOPLoZQIv/Yh+s
dGCRbnJOGnA9LuLg8FCFj9INlnfa7kOo58uP2miNlpgCMK1TIIh17iR8EDZnEroO
SYof6h4Ix880sIrJKqod469tolHWXRZelod0CNAMJJVMI0wwSJyd7KtXncYujLTQ
h6E5woAt7zKewQEHeDi4xWc5ueXRH2CFxXXflqnFqSxKdpzuCme1duMqRvXzlYK5
LChkG6fgtN96yTENS9MLBqCBDc682kwgGUQQw99otWzy2ANIxU/G8I47i51OsUU8
DT7bQXS1fBBb+tO/NE4vhdgxy9cq9jEwI4PshtXcVNLmEiHTQbCa2xfG00b3HIzw
TykuWVLw43ktdBn51feICgW/e29oThVXbuhrODfb91zSquv7+/nlHBuQdHPMFLyT
OHJIbDuCBgTQwBmLIQ1fCxoOu3+UBLh4XUGzh7xGHShzurtH5XrgUJHt144YXkMa
NMat8N4w1eM10Wqi86D4Aq2lay2GY3UOogHKPC7J/Ep8Efk1kl/JwhGboe1l6hVv
j+SxCFfL0ot8vMnNi00ccBDOS8l+eki651Pbo7SUkxMt6rY7IW5qw6NppJw/uz4K
hVk2zY0fXvM=
=yVKN
-----END PGP SIGNATURE-----