[VMC on AWS] Security scanning tools reporting vulnerability on vCenter or ESXi hosts
search cancel

[VMC on AWS] Security scanning tools reporting vulnerability on vCenter or ESXi hosts

book

Article ID: 314084

calendar_today

Updated On:

Products

VMware Cloud on AWS

Issue/Introduction

To identify false positives raised by third-party security scanning tools

Symptoms:
Some third-party security scanning tools may report vulnerabilities on vCenter or ESXi hosts in VMC on AWS SDDC.
 
Example:-
 
CVE-2022-31696, CVE-2022-31699
 
10.143.18.4 10.143.18.4 ESXi 6.5 / 6.7 / 7.0 Multiple Vulnerabilities (VMSA-2022-0030) 10.143.18.6 10.143.18.6 ESXi 6.5 / 6.7 / 7.0 Multiple Vulnerabilities (VMSA-2022-0030) 10.143.18.7 10.143.18.7 ESXi 6.5 / 6.7 / 7.0 Multiple Vulnerabilities (VMSA-2022-0030) 10.143.18.8 10.143.18.8 ESXi 6.5 / 6.7 / 7.0 Multiple Vulnerabilities (VMSA-2022-0030)
 
ESXi version: 7.0
Installed build: 20277314
Fixed build: 20842708


Cause

  • False positives may occur because some third-party security scanning tools do ESXi/vCenter version checks and gives the result based on the on-premise ESXi/vCenter build number associated with the ESXi/vCenter version
  • For instance, the "Installed build : 20277314 " shown in the above example is of an on-premise ESXi host

Resolution

  • VMC on AWS SDDC runs a non-standard build of vCenter/ESXi
  • vCenter and ESXi version associated with a particular SDDC version can be verified using the below-mentioned document:-
  • In the above example, the SDDC was of version 1.18v6 which has ESXi of version 7.0.3 (Build 20278438). This build of ESXi is not affected by the vulnerability (VMSA-2022-0030)
  • Furthermore, in VMC on AWS, management components like vCenter server and ESXi hosts are managed by Vmware. Hence, we (VMware) will fix/mitigate all issues with respect to these components via patches.


Additional Information