Note that this information is intended to provide some pointers in relation to VMSA-2020-0006/CVE-2020-3952 in a VCF or VVD environment. Always take decisions based on the official documentation as published by VMware.
If you’re a VMware administrator you probably heard about VMSA-2020-0006/CVE-2020-3952 that outlines a serious vulnerability which may effect vCenter 6.7. Maybe you already patched your vCenter Server(s), if not it’s time to investigate the issue and take the appropriate actions. Bob Plankers wrote a blogpost on the issue which I would recommend to read. Deploying the available patch doesn’t seem too much work and will solve the issue.
Please note that clean deployments of vCenter 6.7 are not affected, only vCenter 6.7 deployments that were upgraded from a previous release (6.0, 6.5) are affected. vCenter 6.5 and 7.0 are not affected. vCenter Server 6.0 is out of support and will not be listed. Again read Bob’s blogpost and the original security advisory.
VMware Cloud Foundation / VVD and VMSA-2020-0006/CVE-2020-3952
If you’re on VMware Cloud Foundation (VCF) it’s highly recommended to follow the VCF patching sequence and guidelines.
On April 15th a VMware Knowledge Base article was published that explains how to patch the vCenter Servers that are part of a VCF environment. The steps in this KB explain how to deploy the patch that will solve VMSA-2020-0006/CVE-2020-3952 in a VCF 3.9.1 environment. It’s highly recommended that you follow this procedure.
If you’re environment is based on VMware Validated Design 5.x the following statement applies to you:
VMware makes available patches and releases to address critical security and functional issues for several products. Verify that you are using the latest security and express patches or hotfixes for a given component after deploying VMware Validated Design. Scalability and functionally tests for individual patches, express patches, or hotfixes are not typically performed against VMware Validated Design. If a patch must be applied to your environment, follow the VMware published practices and VMware Knowledge Base articles for the specific patch. If an issue occurs during or after the process of applying a patch, contact VMware Technical Support. If after applying a patch, the new product version no longer adheres to the bill of materials, or interrupts the upgrade to the next published version of the design, you must continue to follow the upgrade path to a version of the design that includes this product version. (Source VVD 5.1.1 release notes).
VVD 6.0 includes vCenter 7, this version of vCenter Server is not affected by this vulnerability. However, the upgrade guidance for an upgrade from VVD 5.1.1 to VVD 6.0 is not yet available. Right now, the only way to solve this issue seems to patch the vCenter Server to 6.7f considering the implications that are mentioned in the statement mentioned earlier.
Subscribe to the security sdvisories mailinglist
Be sure to subscribe to the security advisories mailinglist to automatically receive e-mails on future security advisories.