Security vulnerabilities in vSphere Management SDK 8.0 and 8.0U1

search cancel

Security vulnerabilities in vSphere Management SDK 8.0 and 8.0U1

book

Article ID: 312154

calendar_today

Updated On: 06-19-2025

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

Scanning tools flag vSphere Management SDK 8.0U1 as vulnerable.

Environment

VMware vSphere ESXi 7.0.3
VMware vSphere ESXi 8.0.x

Cause

The vSphere Management SDK 8.0U1 ships woodstox-core 6.2.4 as a transitive dependency from jaxws-ri:3.0.2. woodstox-core:6.2.4 has CVE-2022-40152(Stack Buffer Overflow in Woodstox CVE-2022-40152) vulnerability making the SDK vulnerable.

Resolution

Update the SDK to version 8.0 U2.

Workaround:

This vulnerability can be avoided by replacing the existing woodstox-core with version 6.4.0 or higher.

Steps to replace.

Get the woodstox-core(6.4.0 version) jar from Maven Repository.
Rename the woodstox-core-6.4.0.jar to woodstox-core.jar
Replace the vulnerable woodstox-core jar with the new jar. The jar location in the SDK can be found in SDK/libs/JAXWS-RI/lib/.

Feedback

Was this article helpful?

thumb_up Yes

thumb_down No