VMware just announced VMSA-2023-0023 with a maximum CVSSv3 base score of 9.8 - which basically implies DANGER! Here is everything you need to know about this for your VCF Environments.
VMSA-2023-0023 includes two CVEs: CVE-2023-34048, CVE-2023-34056 - The severity of these issues has been evaluated to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
This VMSA affects all versions of vCenter Server, and is only limited to vCenter, not ESXi.
What makes this VMSA challenging is that there are no in-product workarounds available. As a result, the only remediation path available is to upgrade the vCenter Server to a fixed Version.
The response matrix is as follows:
For VMware Cloud Foundation (VCF) environments, vCenter upgrades can be challenging - as out-of-band upgrades are not supported, and upgrades have to be performed from the SDDC Manager.
Here are the upgrade paths and the respective vCenter Versions for different VCF versions:
VCF 5.x:
Fixed vCenter version: 8.0 U1d
Upgrade Path: Using the Async Patch Tool, to download the vCenter upgrade bundle, and install using the SDDC Manager.
Reference KBs:
Available Async Patches - https://kb.vmware.com/s/article/88287
Using Async Patch Tool in Online Mode - https://kb.vmware.com/s/article/95284
Using Async Patch Tool in Offline Mode - https://kb.vmware.com/s/article/95287
VCF 4.x:
Fixed vCenter version: 7.0 U3o
Minimum Required VCF Version: VCF 4.3.1.1
Upgrade Path: Using the Async Patch Tool, to download the vCenter upgrade bundle, and install using the SDDC Manager.
Reference KBs:
Available Async Patches - https://kb.vmware.com/s/article/88287
Using Async Patch Tool in Online Mode - https://kb.vmware.com/s/article/95284
Using Async Patch Tool in Offline Mode - https://kb.vmware.com/s/article/95287
VCF 3.x:
Since VCF 3.x does not support Async Patching using the Async-Patch tool, the process of the upgrades here is different. Essentially, we have to upgrade all PSCs and vCenters out-of-band i.e directly using the PSC/VC VAMI page. Once all the PSCs and VCs are upgraded to the fixed version, there is a post upgrade remediation script that has to be run on the SDDC Manager, that will make the required changes on the SDDC Manager to update its inventory and configuration files.
These instructions, along with the script, are detailed in the KB linked below.
Fixed vCenter version: 6.7 U3t
Minimum Required VCF Version: VCF 3.11
Upgrade Path: Upgrade PSCs and VCs out-of-band. After all upgrades are complete, run the post-upgrade-remediation script on the SDDC Manager.
Reference KBs:
Applying vCenter 6.7 U3t on VCF 3.x: https://kb.vmware.com/s/article/95194