VMSA-2022-0030

vmware logo header

Important


VMSA-2022-0030

4.2-7.5

2022-12-08

2022-12-08 (Initial Advisory)

CVE-2022-31696, CVE-2022-31697, CVE-2022-31698, CVE-2022-31699

VMware ESXi and vCenter Server updates address multiple security vulnerabilities (CVE-2022-31696, CVE-2022-31697, CVE-2022-31698, CVE-2022-31699)

1. Impacted Products



  • VMware ESXi
  • VMware vCenter Server (vCenter Server)
  • VMware Cloud Foundation (Cloud Foundation)

2. Introduction



Multiple vulnerabilities in VMware ESXi and vCenter Server were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

3a. VMware ESXi memory corruption vulnerability (CVE-2022-31696)

Description



VMware ESXi contains a memory corruption vulnerability that exists in the way it handles a network socket. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

Known Attack Vectors



A malicious actor with local access to ESXi may exploit this issue to corrupt memory leading to an escape of the ESXi sandbox.

Resolution



To remediate CVE-2022-31696 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds



None.

Additional Documentation



None.

Acknowledgements



VMware would like to thank Reno Robert of Trend Micro Zero Day Initiative for reporting this issue to us.

Notes



[1] ESXi 6.7 and 6.5 have reached end-of-life. Fixed versions documented in the response matrix were released before the end-of-life date.

Response Matrix

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
ESXi
8.0
Any
CVE-2022-31696
N/A
N/A

Not impacted
N/A
N/A
ESXi
7.0
Any
CVE-2022-31696
important

None
None
ESXi
6.7
Any
CVE-2022-31696
important

None
None
ESXi
6.5
Any
CVE-2022-31696
important

None
None

Impacted Product Suites that Deploy Response Matrix 3a Components:

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
Cloud Foundation (ESXi)
4.x
Any
CVE-2022-31696
important

None
None
Cloud Foundation (ESXi)
3.x
Any
CVE-2022-31696
important

None
None

3b. VMware vCenter Server information disclosure vulnerability (CVE-2022-31697)

Description



The vCenter Server contains an information disclosure vulnerability due to the logging of credentials in plaintext. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.2.

Known Attack Vectors



A malicious actor with access to a workstation that invoked a vCenter Server Appliance ISO operation (Install/Upgrade/Migrate/Restore) can access plaintext passwords used during that operation.

Resolution



To remediate CVE-2022-31697 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.

Workarounds



None.

Additional Documentation



None.

Acknowledgements



VMware would like to thank Zachary Kern-Wies for reporting this vulnerability to us.

Notes



[1] vCenter Server 6.7 and 6.5 have reached end-of-life. Fixed versions documented in the response matrix were released before the end-of-life date.

Response Matrix

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
vCenter Server
8.0
Any
CVE-2022-31697
N/A
N/A

Not impacted
N/A
N/A
vCenter Server
7.0
Any
CVE-2022-31697
moderate

None
None
vCenter Server
6.7
Any
CVE-2022-31697
moderate

None
None
vCenter Server
6.5
Any
CVE-2022-31697
moderate

None
None

Impacted Product Suites that Deploy Response Matrix 3b Components:

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
Cloud Foundation (vCenter Server)
4.x
Any
CVE-2022-31697
moderate

None
None
Cloud Foundation (vCenter Server)
3.x
Any
CVE-2022-31697
moderate

None
None

3c. VMware vCenter Server content library denial of service vulnerability (CVE-2022-31698)

Description



The vCenter Server contains a denial-of-service vulnerability in the content library service. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.8.

Known Attack Vectors



A malicious actor with network access to port 443 on vCenter Server may exploit this issue to trigger a denial-of-service condition by sending a specially crafted header.  

Resolution



To remediate CVE-2022-31698 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.

Workarounds



None.

Additional Documentation



None.

Acknowledgements



VMware would like to thank Marcin ‘Icewall’ Noga of Cisco Talos for reporting this issue to us.

Notes



[1] vCenter Server 6.7 and 6.5 have reached end-of-life. Fixed versions documented in the response matrix were released before the end-of-life date.

Response Matrix

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
vCenter Server
8.0
Any
CVE-2022-31698
N/A
N/A

Not impacted
N/A
N/A
vCenter Server
7.0
Any
CVE-2022-31698
moderate

None
None
vCenter Server
6.7
Any
CVE-2022-31698
moderate

None
None
vCenter Server
6.5
Any
CVE-2022-31698
moderate

None
None

Impacted Product Suites that Deploy Response Matrix 3c Components:

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
Cloud Foundation (vCenter Server)
4.x
Any
CVE-2022-31698
moderate

None
None
Cloud Foundation (vCenter Server)
3.x
Any
CVE-2022-31698
moderate

None
None

3d. VMware ESXi OpenSLP heap overflow vulnerability (CVE-2022-31699)

Description



VMware ESXi contains a heap-overflow vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.2.

Known Attack Vectors



A malicious local actor with restricted privileges within a sandbox process may exploit this issue to achieve a partial information disclosure.

Resolution



To remediate CVE-2022-31699 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds



None.

Additional Documentation



None.

Acknowledgements



VMware would like to thank 01dwang & bibi from Bugab00 team for reporting this issue to us.

Notes



[1] ESXi 6.7 and 6.5 have reached end-of-life. Fixed versions documented in the response matrix were released before the end-of-life date.

[2] Per the Security Configuration Guides for VMware vSphere, VMware now recommends disabling the OpenSLP service in ESXi if it is not used. This service is disabled by default starting from ESXi 7.0 U2c and ESXi 8.0. For more information, see our blog posting:https://blogs.vmware.com/vsphere/2021/02/evolving-the-vmware-vsphere-security-configuration-guides.html

Response Matrix

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
[2] ESXi
8.0
Any
CVE-2022-31699
N/A
N/A

Not impacted
N/A
N/A
[2] ESXi
7.0
Any
CVE-2022-31699
4.2
moderate

None
[2] ESXi
6.7
Any
CVE-2022-31699
4.2
moderate

None
[2] ESXi
6.5
Any
CVE-2022-31699
4.2
moderate

None

Impacted Product Suites that Deploy Response Matrix 3d Components:

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
Cloud Foundation (ESXi)
4.x
Any
CVE-2022-31699
moderate

None
Cloud Foundation (ESXi)
3.x
Any
CVE-2022-31699
moderate

None

4. References



Fixed Version(s) and Release Notes:

VMware vCenter Server 7.0 U3i
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/get-download?downloadGroup=VC70U3I
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3i-release-notes.html

vCenter Server 6.7 U3s
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC67U3S&productId=742
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3s-release-notes.html

vCenter Server 6.5 U3u
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC65U3U&productId=614&rPId=74057
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u3u-release-notes.html

VMware ESXi 7.0 ESXi70U3si-20841705
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3i-release-notes.html

VMware ESXi 6.7 ESXi670-202210101-SG
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202210001.html

VMware ESXi 6.5 ESXi650-202210101-SG
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202210001.html

KB Articles:
Disable SLP: https://kb.vmware.com/s/article/76372
VCF 4.x/3.x: https://kb.vmware.com/s/article/90336

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31696  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31697
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31698
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31699

FIRST CVSSv3 Calculator:
CVE-2022-31696: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2022-31697: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2022-31698: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
CVE-2022-31699: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

5. Change Log



2022-12-08 VMSA-2022-0030
Initial security advisory.

6. Contact



E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:  

security-announce@lists.vmware.com 
bugtraq@securityfocus.com 

fulldisclosure@seclists.org 

E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055 

VMware Security Advisories
https://www.vmware.com/security/advisories 

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html 

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html 

VMware Security & Compliance Blog  
https://blogs.vmware.com/security 

Twitter
https://twitter.com/VMwareSRC

Copyright 2022 VMware Inc. All rights reserved.
 

Read full article (vmware.com)

All content and images belong to their respected owners, this article is curated for informational purposes only.

Total
0
Shares
Leave a Reply
Previous Post
citrix logo header

Getting windows couldn’t connect to the ulayer service

Next Post
citrix logo header

ShareFile Storage Zone Controller – cleanup service not working correctly