On 13 December 2022 VMware released a security advisory for VMware ESXi, Workstation, and Fusion.
The VMSA carries a rating of Moderate with a CVSSv3 score of 5.9 for VMware ESXi 8.0 and 7.0
It carries a rating of Critical with a CVSSv3 score of 9.3 for Fusion 12.x and Workstation 16.x
Fusion 13.x and Workstation 17.x are Unaffected.
Upgrade ESXi 8.x to ESXi 8.0a Build 20842819 (or later)
Upgrade ESXi 7.x to 7.0U3i Build 20842708 (or later)
Upgrade Fusion to 12.2.5, or 13.x. Similarly, upgrade Workstation to 16.2.5, or 17.x
More details: https://www.vmware.com/security/advisories/VMSA-2022-0033.html
Pro Tip: Be sure to sign up for VMware Security Advisory emails by clicking the signup link on the VMSA page. This way you can be notified immediately when a new VMSA is released.
On October 25 2022, VMware released VMware Security Advisory VMSA-2022-0027 affecting VMware Cloud Foundation 3.x.
The affected products do NOT include VCF 4.x, only versions earlier than 3.11. Most of these products are EOGS (End of General Support) and should be removed from production.
On Tuesday, September 21, 2021, VMware released VMware Security Advisory VMSA-2021-0020 affecting vCenter Server. This VMSA contains 1 Critical advisory and 18 Important advisories.
Workaround*: VMware KB 85717: https://kb.vmware.com/kb/85717
VMware Blog “VMSA-2021-0020: What You Need to Know”: https://via.vmw.com/vmsa-2021-0020-blog
VMware Communities: https://via.vmw.com/vmsa-2021-0020-community
*Workaround provided only for 1 Critical vulnerability. Additional 18 lower vulnerabilities require patch to be applied. Workaround should only be used as a temporary measure until patching can be completed. Refer to FAQ for additional information.
The key information to share is that IMMEDIATE ACTION IS REQUIRED. Apply the vCenter patch version now, or apply the workaround (and understand the impact to functionality) if you cannot patch immediately.
VMware has released a very detailed blog and FAQ for this VMSA, which should help clarify questions that are sure to arise. These resources are linked above.
As a follow-up to the previous post, VMware Security expert Bob Plankers has just published an update to the vSphere Security Configuration guides. The changes are detailed in a blog article here:Â
One specific item of interest around OpenSLP/CIM service (ref. VMSA-2019-0022, VMSA-2020-0023):
“Added and updated guidance for disabling SLP and CIM service daemons on ESXi. Security advisories are often good opportunities to assess the state of things, and most customers do not use these protocols. No VMware products use these protocols, either. We now have good methods and guidance for disabling them.”
Furthermore, while not detailed in the blog, I understand that slpd service is disabled by default in ESXi going forward.
You can download the vSphere Security Configuration guides at https://core.vmware.com/security-configuration-guide