Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1346.3 VMware vCenter Server updates address an information disclosure vulnerability 30 March 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: vCenter Server and Cloud Foundation Publisher: VMware Operating System: Virtualisation VMware ESX Server Resolution: Patch/Upgrade CVE Names: CVE-2022-22948 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2022-0009.html Comment: CVSS (Max): 5.5 CVE-2022-22948 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) CVSS Source: VMware Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Revision History: March 30 2022: Fixed format March 30 2022: Fixed bulletin number March 30 2022: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Moderate Advisory ID: VMSA-2022-0009 CVSSv3 Range: 5.5 Issue Date: 2022-03-29 Updated On: 2022-03-29 (Initial Advisory) CVE(s): CVE-2022-22948 Synopsis: VMware vCenter Server updates address an information disclosure vulnerability (CVE-2022-22948) 1. Impacted Products o VMware vCenter Server (vCenter Server) o VMware Cloud Foundation (Cloud Foundation) 2. Introduction An information disclosure vulnerability in VMware vCenter Server was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products. 3. vCenter Server information disclosure vulnerability (CVE-2022-22948) Description The vCenter Server contains an information disclosure vulnerability due to improper permission of files. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.5 . Known Attack Vectors A malicious actor with non-administrative access to the vCenter Server may exploit this issue to gain access to sensitive information. Resolution To remediate CVE-2022-22948 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Notes None. Acknowledgements VMware would like to thank Yuval Lazar (@Ul7raVi0l3t) of Pentera for reporting this issue to us. Response Matrix: Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation vCenter 7.0 Any CVE-2022-22948 5.5 moderate 7.0 U3d None None Server vCenter 6.7 Virtual CVE-2022-22948 5.5 moderate 6.7 U3p None None Server Appliance vCenter 6.7 Windows CVE-2022-22948 N/A N/A Unaffected N/A N/A Server vCenter 6.5 Virtual CVE-2022-22948 5.5 moderate 6.5 U3r None None Server Appliance vCenter 6.5 Windows CVE-2022-22948 N/A N/A Unaffected N/A N/A Server Impacted Product Suites that Deploy Response Matrix Components: Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation Cloud Foundation 4.x Any CVE-2022-22948 5.5 moderate Patch None None (vCenter pending Server) Cloud Foundation 3.x Any CVE-2022-22948 5.5 moderate 3.11 None None (vCenter Server) 4. References Fixed Version(s) and Release Notes: vCenter Server 7.0 U3d Downloads and Documentation: https://customerconnect.vmware.com/downloads/details?downloadGroup=VC70U3D& productId=974&rPId=74352 https://docs.vmware.com/en/VMware-vSphere/7.0/rn/ vsphere-vcenter-server-70u3d-release-notes.html vCenter Server 6.7 U3p Downloads and Documentation: https://customerconnect.vmware.com/en/downloads/details?downloadGroup=VC67U3P& productId=742&rPId=78421 https://docs.vmware.com/en/VMware-vSphere/6.7/rn/ vsphere-vcenter-server-67u3p-release-notes.html vCenter Server 6.5 U3r Downloads and Documentation: https://customerconnect.vmware.com/downloads/details?downloadGroup=VC65U3R& productId=614&rPId=74057 https://docs.vmware.com/en/VMware-vSphere/6.5/rn/ vsphere-vcenter-server-65u3r-release-notes.html VMware Cloud Foundation 3.11 Downloads and Documentation: https://docs.vmware.com/en/VMware-Cloud-Foundation/3.11/rn/ VMware-Cloud-Foundation-311-Release-Notes.html Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22948 FIRST CVSSv3 Calculator: CVE-2022-22948: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/ PR:L/UI:N/S:U/C:H/I:N/A:N 5. Change Log 2022-03-29 VMSA-2022-0009 Initial security advisory. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYkP9AONLKJtyKPYoAQifDQ/9Gp+Cp4DTfpp7AL4Dkhs6oq3A3CnFILtJ pxhMSCY8Du5zrCQW4tZJUP3f6i3tXKxVQczD3j6LTysqJs+xdbGOPLoZQIv/Yh+s dGCRbnJOGnA9LuLg8FCFj9INlnfa7kOo58uP2miNlpgCMK1TIIh17iR8EDZnEroO SYof6h4Ix880sIrJKqod469tolHWXRZelod0CNAMJJVMI0wwSJyd7KtXncYujLTQ h6E5woAt7zKewQEHeDi4xWc5ueXRH2CFxXXflqnFqSxKdpzuCme1duMqRvXzlYK5 LChkG6fgtN96yTENS9MLBqCBDc682kwgGUQQw99otWzy2ANIxU/G8I47i51OsUU8 DT7bQXS1fBBb+tO/NE4vhdgxy9cq9jEwI4PshtXcVNLmEiHTQbCa2xfG00b3HIzw TykuWVLw43ktdBn51feICgW/e29oThVXbuhrODfb91zSquv7+/nlHBuQdHPMFLyT OHJIbDuCBgTQwBmLIQ1fCxoOu3+UBLh4XUGzh7xGHShzurtH5XrgUJHt144YXkMa NMat8N4w1eM10Wqi86D4Aq2lay2GY3UOogHKPC7J/Ep8Efk1kl/JwhGboe1l6hVv j+SxCFfL0ot8vMnNi00ccBDOS8l+eki651Pbo7SUkxMt6rY7IW5qw6NppJw/uz4K hVk2zY0fXvM= =yVKN -----END PGP SIGNATURE-----