===================================================================== CERT-Renater Note d'Information No. 2022/VULN453 _____________________________________________________________________ DATE : 09/12/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running VMware ESXi versions prior to ESXi70U3si-20841705, ESXi670-202210101-SG, ESXi650-202210101-SG, VMware vCenter Server (vCenter Server) versions prior to 7.0 U3i, 6.7.0 U3s, 6.5 U3u, VMware Cloud Foundation (Cloud Foundation) versions prior to KB90336. ===================================================================== https://www.vmware.com/security/advisories/VMSA-2022-0030.html _____________________________________________________________________ Important Advisory ID: VMSA-2022-0030 CVSSv3 Range: 4.2-7.5 Issue Date: 2022-12-08 Updated On: 2022-12-08 (Initial Advisory) CVE(s): CVE-2022-31696, CVE-2022-31697, CVE-2022-31698, CVE-2022-31699 Synopsis: VMware ESXi and vCenter Server updates address multiple security vulnerabilities (CVE-2022-31696, CVE-2022-31697, CVE-2022-31698, CVE-2022-31699) 1. Impacted Products VMware ESXi VMware vCenter Server (vCenter Server) VMware Cloud Foundation (Cloud Foundation) 2. Introduction Multiple vulnerabilities in VMware ESXi and vCenter Server were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. 3a. VMware ESXi memory corruption vulnerability (CVE-2022-31696) Description VMware ESXi contains a memory corruption vulnerability that exists in the way it handles a network socket. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5. Known Attack Vectors A malicious actor with local access to ESXi may exploit this issue to corrupt memory leading to an escape of the ESXi sandbox. Resolution To remediate CVE-2022-31696 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Acknowledgements VMware would like to thank Reno Robert of Trend Micro Zero Day Initiative for reporting this issue to us. Notes [1] ESXi 6.7 and 6.5 have reached end-of-life. Fixed versions documented in the response matrix were released before the end-of-life date. Response Matrix Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation ESXi 8.0 Any CVE-2022-31696 N/A N/A Not impacted N/A N/A ESXi 7.0 Any CVE-2022-31696 7.5 Important ESXi70U3si-20841705 None None ESXi 6.7 Any CVE-2022-31696 7.5 Important [1] ESXi670-202210101-SG None None ESXi 6.5 Any CVE-2022-31696 7.5 Important [1] ESXi650-202210101-SG None None Impacted Product Suites that Deploy Response Matrix 3a Components: Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation Cloud Foundation (ESXi) 4.x Any CVE-2022-31696 7.5 Important KB90336 None None Cloud Foundation (ESXi) 3.x Any CVE-2022-31696 7.5 Important KB90336 None None 3b. VMware vCenter Server information disclosure vulnerability (CVE-2022-31697) Description The vCenter Server contains an information disclosure vulnerability due to the logging of credentials in plaintext. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.2. Known Attack Vectors A malicious actor with access to a workstation that invoked a vCenter Server Appliance ISO operation (Install/Upgrade/Migrate/Restore) can access plaintext passwords used during that operation. Resolution To remediate CVE-2022-31697 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. Workarounds None. Additional Documentation None. Acknowledgements VMware would like to thank Zachary Kern-Wies for reporting this vulnerability to us. Notes [1] vCenter Server 6.7 and 6.5 have reached end-of-life. Fixed versions documented in the response matrix were released before the end-of-life date. Response Matrix Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation vCenter Server 8.0 Any CVE-2022-31697 N/A N/A Not impacted N/A N/A vCenter Server 7.0 Any CVE-2022-31697 6.2 Moderate 7.0 U3i None None vCenter Server 6.7 Any CVE-2022-31697 6.2 Moderate [1] 6.7.0 U3s None None vCenter Server 6.5 Any CVE-2022-31697 6.2 Moderate [1] 6.5 U3u None None Impacted Product Suites that Deploy Response Matrix 3b Components: Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation Cloud Foundation (vCenter Server) 4.x Any CVE-2022-31697 6.2 Moderate KB90336 None None Cloud Foundation (vCenter Server) 3.x Any CVE-2022-31697 6.2 Moderate KB90336 None None 3c. VMware vCenter Server content library denial of service vulnerability (CVE-2022-31698) Description The vCenter Server contains a denial-of-service vulnerability in the content library service. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.8. Known Attack Vectors A malicious actor with network access to port 443 on vCenter Server may exploit this issue to trigger a denial-of-service condition by sending a specially crafted header. Resolution To remediate CVE-2022-31698 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. Workarounds None. Additional Documentation None. Acknowledgements VMware would like to thank Marcin 'Icewall' Noga of Cisco Talos for reporting this issue to us. Notes [1] vCenter Server 6.7 and 6.5 have reached end-of-life. Fixed versions documented in the response matrix were released before the end-of-life date. Response Matrix Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation vCenter Server 8.0 Any CVE-2022-31698 N/A N/A Not impacted N/A N/A vCenter Server 7.0 Any CVE-2022-31698 5.8 Moderate 7.0 U3i None None vCenter Server 6.7 Any CVE-2022-31698 5.8 Moderate [1] 6.7.0 U3s None None vCenter Server 6.5 Any CVE-2022-31698 5.8 Moderate [1] 6.5 U3u None None Impacted Product Suites that Deploy Response Matrix 3c Components: Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation Cloud Foundation (vCenter Server) 4.x Any CVE-2022-31698 5.8 Moderate KB90336 None None Cloud Foundation (vCenter Server) 3.x Any CVE-2022-31698 5.8 Moderate KB90336 None None 3d. VMware ESXi OpenSLP heap overflow vulnerability (CVE-2022-31699) Description VMware ESXi contains a heap-overflow vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.2. Known Attack Vectors A malicious local actor with restricted privileges within a sandbox process may exploit this issue to achieve a partial information disclosure. Resolution To remediate CVE-2022-31699 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Acknowledgements VMware would like to thank 01dwang & bibi from Bugab00 team for reporting this issue to us. Notes [1] ESXi 6.7 and 6.5 have reached end-of-life. Fixed versions documented in the response matrix were released before the end-of-life date. [2] Per the Security Configuration Guides for VMware vSphere, VMware now recommends disabling the OpenSLP service in ESXi if it is not used. This service is disabled by default starting from ESXi 7.0 U2c and ESXi 8.0. For more information, see our blog posting:https://blogs.vmware.com/vsphere/2021/02/evolving-the-vmware-vsphere-security-configuration-guides.html Response Matrix Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation [2] ESXi 8.0 Any CVE-2022-31699 N/A N/A Not impacted N/A N/A [2] ESXi 7.0 Any CVE-2022-31699 4.2 Moderate ESXi70U3si-20841705 KB76372 None [2] ESXi 6.7 Any CVE-2022-31699 4.2 Moderate [1] ESXi670-202210101-SG KB76372 None [2] ESXi 6.5 Any CVE-2022-31699 4.2 Moderate [1] ESXi650-202210101-SG KB76372 None Impacted Product Suites that Deploy Response Matrix 3d Components: Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation Cloud Foundation (ESXi) 4.x Any CVE-2022-31699 4.2 Moderate KB90336 KB76372 None Cloud Foundation (ESXi) 3.x Any CVE-2022-31699 4.2 Moderate KB90336 KB76372 None 4. References Fixed Version(s) and Release Notes: VMware vCenter Server 7.0 U3i Downloads and Documentation: https://customerconnect.vmware.com/downloads/get-download?downloadGroup=VC70U3I https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3i-release-notes.html vCenter Server 6.7 U3s Downloads and Documentation: https://customerconnect.vmware.com/downloads/details?downloadGroup=VC67U3S&productId=742 https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3s-release-notes.html vCenter Server 6.5 U3u Downloads and Documentation: https://customerconnect.vmware.com/downloads/details?downloadGroup=VC65U3U&productId=614&rPId=74057 https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u3u-release-notes.html VMware ESXi 7.0 ESXi70U3si-20841705 Downloads and Documentation: https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3i-release-notes.html VMware ESXi 6.7 ESXi670-202210101-SG Downloads and Documentation: https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202210001.html VMware ESXi 6.5 ESXi650-202210101-SG Downloads and Documentation: https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202210001.html KB Articles: Disable SLP: https://kb.vmware.com/s/article/76372 VCF 4.x/3.x: https://kb.vmware.com/s/article/90336 Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31696 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31697 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31698 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31699 FIRST CVSSv3 Calculator: CVE-2022-31696: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2022-31697: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2022-31698: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L CVE-2022-31699: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N 5. Change Log 2022-12-08 VMSA-2022-0030 Initial security advisory. 6. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2022 VMware Inc. All rights reserved. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================