=====================================================================

                                CERT-Renater

                      Note d'Information No. 2021/VULN128
_____________________________________________________________________

DATE                : 30/03/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running vCenter Server versions prior to
                          7.0 U3d, 6.7 U3p, 6.5 U3r,
       Cloud Foundation (vCenter Server) versions 4.x, 3.x prior to 3.11.

=====================================================================
https://www.vmware.com/security/advisories/VMSA-2022-0009.html
_____________________________________________________________________

Moderate

  Advisory ID:    VMSA-2022-0009
CVSSv3 Range:   5.5
Issue Date:     2022-03-29
Updated On:     2022-03-29 (Initial Advisory)
CVE(s):         CVE-2022-22948


Synopsis:
VMware vCenter Server updates address an information disclosure
vulnerability (CVE-2022-22948)


1. Impacted Products
VMware vCenter Server (vCenter Server)
VMware Cloud Foundation (Cloud Foundation)


2. Introduction
An information disclosure vulnerability in VMware vCenter Server was
privately reported to VMware. Updates are available to remediate this
vulnerability in affected VMware products.


3. vCenter Server information disclosure vulnerability (CVE-2022-22948)

Description

The vCenter Server contains an information disclosure vulnerability due
to improper permission of files. VMware has evaluated the severity of
this issue to be in the Moderate severity range with a maximum CVSSv3
base score of 5.5.

Known Attack Vectors

A malicious actor with non-administrative access to the vCenter Server
may exploit this issue to gain access to sensitive information.

Resolution

To remediate CVE-2022-22948 apply the patches listed in the 'Fixed
Version' column of the 'Response Matrix' found below.

Workarounds
None.

Additional Documentation
None.

Notes
None.


Acknowledgements

VMware would like to thank Yuval Lazar (@Ul7raVi0l3t) of Pentera for
reporting this issue to us.

Response Matrix:

Product	Version   Running On   CVE Identifier   CVSSv3   Severity Fixed
Version	Workarounds   Additional Documentation

vCenter Server  7.0  Any  CVE-2022-22948  5.5  Moderate  7.0 U3d
None   None
vCenter Server  6.7  Virtual Appliance  CVE-2022-22948  5.5
Moderate  6.7 U3p  None  None

vCenter Server  6.7  Windows  CVE-2022-22948  N/A  N/A  Unaffected
N/A  N/A

vCenter Server  6.5  Virtual Appliance  CVE-2022-22948  5.5  Moderate
6.5 U3r  None  None

vCenter Server   6.5   Windows   CVE-2022-22948   N/A   N/A   Unaffected
N/A   N/A


Impacted Product Suites that Deploy Response Matrix Components:

Product	Version   Running On   CVE Identifier   CVSSv3   Severity Fixed
Version   Workarounds   Additional Documentation

Cloud Foundation (vCenter Server)   4.x   Any   CVE-2022-22948   5.5
Moderate   Patch pending   None   None

Cloud Foundation (vCenter Server)   3.x   Any   CVE-2022-22948   5.5
Moderate   3.11   None   None


4. References

Fixed Version(s) and Release Notes:


vCenter Server 7.0 U3d
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC70U3D&productId=974&rPId=74352
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3d-release-notes.html

vCenter Server 6.7 U3p
Downloads and Documentation:
https://customerconnect.vmware.com/en/downloads/details?downloadGroup=VC67U3P&productId=742&rPId=78421
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3p-release-notes.html

vCenter Server 6.5 U3r
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC65U3R&productId=614&rPId=74057
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u3r-release-notes.html


VMware Cloud Foundation 3.11
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.11/rn/VMware-Cloud-Foundation-311-Release-Notes.html

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22948

FIRST CVSSv3 Calculator:
CVE-2022-22948: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N


5. Change Log
2022-03-29 VMSA-2022-0009
Initial security advisory.


6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com  bugtraq@securityfocus.com 
fulldisclosure@seclists.org

E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055

VMware Security Advisories
https://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog  https://blogs.vmware.com/security

Twitter
https://twitter.com/VMwareSRC


Copyright 2022 VMware Inc. All rights reserved.



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================