On Monday July 1st, 2024 details were published on CVE-2024-6387 - a signal handler race condition vulnerability in OpenSSH. The Broadcom Product Security and Incident Response Team (PSIRT) - VMware Cloud Foundation Division (VCFD) has evaluated this vulnerability and its impact on VMware Cloud Foundation products.
The VMware Cloud Foundation Division continues to recommend that SSH should remain disabled (disabled by default) in production environments. Please see product-specific documentation for details on how to disable SSH if it has been enabled. Alternative workarounds are not recommended and may have functional impacts on a product if implemented without published instructions. If additional workarounds are tested and approved they will be mentioned in the 'Product Impact' section above.
Regardless of the exploitability of CVE-2024-6387; VMware Cloud Foundation products will consume versions of OpenSSH that are not potentially vulnerable to CVE-2024-6387 in previously scheduled future releases.
Refer the table below for Product name and current status of the Vulnerability Impact.
Date of Validation |
Product Name | Vulnerability Status | Fixed version |
07/02/2024 | VMware Aria Operations for Logs | Not Impacted | N/A |
07/02/2024 |
VCF SDDC Manager |
Not Impacted | N/A |
07/02/2024 |
VMware Cloud Director |
Not Impacted | N/A |
07/02/2024 |
NSX & NSX-T Datacenter |
Not Impacted | N/A |
07/02/2024 |
VMware Identity Manager |
Not Impacted | N/A |
07/03/2024 | VMware Aria Automation | Not Impacted | N/A |
07/03/2024 |
VMware Automation Orchestrator |
Not Impacted | N/A |
07/03/2024 |
VMware TKrs
|
Not Impacted | N/A |
07/04/2024 |
VMware Cloud Provider Lifecycle Manager |
Not Impacted | N/A |
07/04/2024 |
Usage Meter
|
Not Impacted | N/A |
07/04/2024 |
VMware Site Recover Manager
|
Not Impacted | N/A |
07/04/2024 |
VMware vSphere Replication
|
Not Impacted | N/A |
07/05/2024 |
VMware Cloud Provider Lifecycle Manager |
Not Impacted | N/A |
07/08/2024 |
VMware HCX |
Not Impacted | N/A |
09/30/2024 |
ESXi 8.0 U3 |
Fixed | ESXi 8.0U3b |
10/04/2024 |
vCenter Server 8.0 U3 |
Fixed | vCenter Server 8.0 U3b NOTE - openSSH is updated to 8.9p1-8 and no longer contains vulnerable version |
10/25/2024 |
VM TKRs |
Fixed | VM TKRs version 1.30.1 |
02/20/2025 |
Aria Suite Lifecycle |
Not Impacted | Not impacted list as its based on Photon v3.0. This CVE affects openssh from (including) 8.6 Up to (excluding) 9.8 LCM 8.18 is on 7.8p1 in Ph3 |
8/8/2024 |
Aria operations |
Fixed | Aria operations 8.18 HF1 no longer contains the vulnerable openssh version. |
05/20/2025 |
ESXi 7.0 U3 |
Fixed | ESXi 7.0 U3v VMware ESXi 7.0 Update 3v Release Notes TechDoc Page |
06/26/2025 |
vRealize Automation (vRA) 8.18.1 |
Not Impacted | N/A |
Broadcom VMware Cloud Foundation Division の CVE-2024-6387 に対する対応 - OpenSSH シグナル ハンドラー競合状態の脆弱性