Unsolved
1 Rookie
•
2 Posts
0
443
VMSA-2024-0012
Any ETA on patching VxRail for this one?
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453
Unsolved
1 Rookie
•
2 Posts
0
443
Any ETA on patching VxRail for this one?
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453
Top
DELL-Sam L
Moderator
Moderator
•
7K Posts
0
June 19th, 2024 08:34
Hello CarlAAM,
Here is a link to a KB about this issue.
https://dell.to/3VMGQAJ
Holzwurm
1 Rookie
1 Rookie
•
4 Posts
0
June 19th, 2024 13:17
This article is permission based. Find another article.
whats the answer?
Thanks
DELL-Sam L
Moderator
Moderator
•
7K Posts
0
June 19th, 2024 13:20
VxRail: VMSA-2024-0012: (CVE-2024-37079, CVE-2024-37080, CVE-2024-37081)
Summary: VxRail: VMSA-2024-0012:VMware vCenter Server updates address heap-overflow and privilege escalation vulnerabilities (CVE-2024-37079, CVE-2024-37080, CVE-2024-37081)
Article Content
Instructions
If Customers are running a VxRail-managed vCenter:
Dell Technologies is reviewing VMware vulnerabilities tracked in CVE-2024-37079 and CVE-2024-37080, which are disclosed in VMSA-2024-0012. We will communicate any security updates or mitigations, if necessary, at https://dell.to/3XqUM4R. The security of our products is a top priority and critical to protecting our customers.
If Customers are running a customer-managed vCenter:
VxRail customers with customer-managed vCenter configurations can immediately upgrade following the guidance provided in VMSA-2024-0012.
Notes:
Klaas--
1 Rookie
1 Rookie
•
10 Posts
0
June 19th, 2024 14:56
so what are possible workarounds?
1) firewall vcenter -- I am guessing that's a valid option, do I only need to block 80/443? Do I firewall at the vcenter level/the network level? What does still need access to it? The witness nodes, the esxi servers?
2) can I just temporary poweroff the vcenter until there is a fix available via VxRail? What are the consequences of that besides me not being able to manage the VMs
3) can I just install the patch by VMware directly? Is that possible -- how do I get back to a "normal" VxRail with embedded vCenter afterwards? :)
DELL-Sam L
Moderator
Moderator
•
7K Posts
0
June 19th, 2024 17:00
Hello Klaas,
As stated in the KB There is no workaround for this issue currently.
Klaas--
1 Rookie
1 Rookie
•
10 Posts
0
June 20th, 2024 06:35
@DELL-Sam L well of cause there are workarounds, the easiest one, but one I would not like to do is: just shutdown vxrail until an update is available :)
The other 3 ideas I suggested in my previous post seemed like a better idea though.
DELL-Sam L
Moderator
Moderator
•
7K Posts
0
June 20th, 2024 09:54
Hello Klaas,
There are not any official work arounds yet that DellEMC has published for this issue. We are actively working this issue and when there are workarounds or patches they will be published on this link. https://dell.to/4bdkCwv
Klaas--
1 Rookie
1 Rookie
•
10 Posts
1
July 2nd, 2024 08:25
Dell has missed their promised 14 day window for updates: https://www.dell.com/support/kbdoc/en-us/000182153
Anonym1234
1 Rookie
1 Rookie
•
1 Message
1
July 5th, 2024 08:31
@DELL-Sam L
Hello,
when can we expect an update from Dell for the security vulnerability? The vulnerability has been open for more than 14 days now, with no prospect of an update.
Klaas--
1 Rookie
1 Rookie
•
10 Posts
0
July 5th, 2024 09:04
Dell has released the update for version 7:
https://www.dell.com/support/home/en-us/product-support/product/vxrail-software/drivers
https://www.dell.com/support/manuals/en-us/vxrail-software/vxr_p_vxrail_release_notes_v7.0/what-is-new-in-vxrail-7.0.521?guid=guid-ff374bc7-c9ae-4f83-b157-1fa54c3d18ae&lang=en-us
but the has failed to announce it on their security site:
https://www.dell.com/support/security/en-us ...
Klaas--
1 Rookie
1 Rookie
•
10 Posts
0
July 12th, 2024 06:57
https://www.dell.com/support/kbdoc/en-us/000226863/dsa-2024-289-security-update-for-dell-vxrail-8-0-213-multiple-third-party-component-vulnerabilities was released yesterday evening ~4 weeks after the VMware update