Security vulnerabilities in vSphere Management SDK 8.0 and 8.0U1.
search cancel

Security vulnerabilities in vSphere Management SDK 8.0 and 8.0U1.

book

Article ID: 312154

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

Symptoms:

Scanning tools flag vSphere Management SDK 8.0U1 as vulnerable.


Environment

VMware vSphere ESXi 7.0.3
VMware vSphere ESXi 8.0.x
VMware vSphere ESXi 8.0.1

Cause

The vSphere Management SDK 8.0U1 ships woodstox-core 6.2.4 as a transitive dependency from jaxws-ri:3.0.2. woodstox-core:6.2.4 has CVE-2022-40152(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40152) vulnerability making the SDK vulnerable.

Resolution

The issue can be resolved by updating the SDK to version 8.0U2.


Workaround:

This vulnerability can be avoided by replacing the existing woodstox-core with version 6.4.0 or higher.

Steps to replace.
1. Get the woodstox-core(6.4.0 version) jar from Maven repository (https://mvnrepository.com/artifact/com.fasterxml.woodstox/woodstox-core/6.4.0)
2. Rename the woodstox-core-6.4.0.jar to woodstox-core.jar
3. Replace vulnerable woodstox-core jar with new jar. The location of jar in the SDK is as following SDK/libs/JAXWS-RI/lib/


Powered by Wolken Software