Virtualisation

CVE-2022-22948: VMware vCenter Server updates address an information disclosure vulnerability

Screenshot-2022-04-02-at-23.14.30

VMware vCenter Server is an advanced server management software that provides a centralized platform for controlling vSphere environments for visibility across hybrid clouds. You can quickly deploy vCenter Server as a pre-packaged, optimized, and easy-to-maintain virtual appliance. The following disclosure vulnerability was reported to VMware by Yuval Lazar (@Ul7raVi0l3t) of Pentera. To remediate this vulnerability, apply the patch in the response matrix below as it applies to you.

vCenter Server information disclosure vulnerability (CVE-2022-22948)

The vCenter Server contains an information disclosure vulnerability due to improper permission of files. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.5.

Below are the affected products

  • VMware vCenter Server (vCenter Server)
  • VMware Cloud Foundation (Cloud Foundation)

An information disclosure vulnerability in VMware vCenter Server was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.

Known Attack Vectors

A malicious actor with non-administrative access to the vCenter Server may exploit this issue to gain access to sensitive information.

Resolution

To remediate CVE-2022-22948 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below the response matrix.

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
vCenter Server7.0AnyCVE-2022-229485.5Moderate 7.0 U3dNoneNone
vCenter Server6.7Virtual ApplianceCVE-2022-229485.5Moderate 6.7 U3pNoneNone
vCenter Server6.7WindowsCVE-2022-22948N/AN/AUnaffectedN/AN/A
vCenter Server6.5Virtual ApplianceCVE-2022-229485.5Moderate 6.5 U3rNoneNone
vCenter Server6.5WindowsCVE-2022-22948N/AN/AUnaffectedN/AN/A

Impacted Product Suites that Deploy Response Matrix Components

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
Cloud Foundation (vCenter Server)4.xAnyCVE-2022-229485.5Moderate Patch pendingNoneNone
Cloud Foundation (vCenter Server)3.xAnyCVE-2022-229485.5Moderate 3.11NoneNone

You may want to learn more about this disclosure. Kindly click on the following link.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x