Skip to main content
Start a Conversation

Unsolved

C

CarlAAM

1 Rookie

 • 

2 Posts

443

June 18th, 2024 22:32

VMSA-2024-0012

Any ETA on patching VxRail for this one?

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453

DELL-Sam L

Moderator

 • 

7K Posts

June 19th, 2024 08:34

Hello CarlAAM,

Here is a link to a KB about this issue.

https://dell.to/3VMGQAJ

Holzwurm

1 Rookie

 • 

4 Posts

June 19th, 2024 13:17

This article is permission based. Find another article.

whats the answer?

Thanks

DELL-Sam L

Moderator

 • 

7K Posts

June 19th, 2024 13:20

VxRail: VMSA-2024-0012: (CVE-2024-37079, CVE-2024-37080, CVE-2024-37081)

Summary: VxRail: VMSA-2024-0012:VMware vCenter Server updates address heap-overflow and privilege escalation vulnerabilities (CVE-2024-37079, CVE-2024-37080, CVE-2024-37081)

Audience Level: Customer

Article Content

Instructions

On June 17, 2024, VMware released VMSA-2024-0012, a security advisory disclosing a group of vulnerabilities (CVE-2024-37079, CVE-2024-37080, CVE-2024-37081) for VMware vCenter Server and VMware Cloud Foundation (VCF). CVE-2024-37079 and CVE-2024-37080 have a CVSS score of 9.8 and can potentially lead to remote code execution (RCE). CVE-2024-37081 has a CVSS score of 7.8 and can potentially lead to local privilege escalation. 

If Customers are running a VxRail-managed vCenter:

Dell Technologies is reviewing VMware vulnerabilities tracked in CVE-2024-37079 and CVE-2024-37080, which are disclosed in VMSA-2024-0012. We will communicate any security updates or mitigations, if necessary, at https://dell.to/3XqUM4R. The security of our products is a top priority and critical to protecting our customers.

If Customers are running a customer-managed vCenter:

VxRail customers with customer-managed vCenter configurations can immediately upgrade following the guidance provided in VMSA-2024-0012.
 

Notes:

  • There is no workaround for this issue
  • For any further questions, reach out to VxRail support

Klaas--

1 Rookie

 • 

10 Posts

June 19th, 2024 14:56

so what are possible workarounds?

1) firewall vcenter -- I am guessing that's a valid option, do I only need to block 80/443? Do I firewall at the vcenter level/the network level? What does still need access to it? The witness nodes, the esxi servers?

2) can I just temporary poweroff the vcenter until there is a fix available via VxRail? What are the consequences of that besides me not being able to manage the VMs

3) can I just install the patch by VMware directly? Is that possible -- how do I get back to a "normal" VxRail with embedded vCenter afterwards? :)

DELL-Sam L

Moderator

 • 

7K Posts

June 19th, 2024 17:00

Hello Klaas,

As stated in the KB There is no workaround for this issue currently.

Klaas--

1 Rookie

 • 

10 Posts

June 20th, 2024 06:35

@DELL-Sam L​ well of cause there are workarounds, the easiest one, but one I would not like to do is: just shutdown vxrail until an update is available :)

The other 3 ideas I suggested in my previous post seemed like a better idea though.

DELL-Sam L

Moderator

 • 

7K Posts

June 20th, 2024 09:54

Hello Klaas,

There are not any official work arounds yet that DellEMC has published for this issue. We are actively working this issue and when there are workarounds or patches they will be published on this link. https://dell.to/4bdkCwv

Klaas--

1 Rookie

 • 

10 Posts

July 2nd, 2024 08:25

Dell has missed their promised 14 day window for updates: https://www.dell.com/support/kbdoc/en-us/000182153

Anonym1234

1 Rookie

 • 

1 Message

July 5th, 2024 08:31

@DELL-Sam L​  

Hello, 

when can we expect an update from Dell for the security vulnerability? The vulnerability has been open for more than 14 days now, with no prospect of an update.

Klaas--

1 Rookie

 • 

10 Posts

July 5th, 2024 09:04

Klaas--

1 Rookie

 • 

10 Posts

July 12th, 2024 06:57

View More

View All

No Events found!

Top