dnspython vulnerability on vCenter Appliance - CVE-2023-29483
Article ID: 372286
Updated On:
Products
Issue/Introduction
The CVE-2023-29483 2.6.0rc1 DoS, related to UDP dns.query.udp(), "ignore_errors", may be included in subsequent patching provided photon includes the CVE for Photon OS 5.0 . VMware will not backport this security fix in earlier versions of vCenter as it may break other API and SDK dependencies. There is no fix at this time scheduled for CVE-2023-29483 2.6.0rc1 DoS in vCenter 7.x. No backports to earlier versions of Photon OS will be scheduled for dnspython service vulnerability.
Environment
VMware vCenter Server 7.0
VMware vCenter Server 8.0
Cause
Finding:
CVSS Score Source: CVE-2023-29483
Score: 4.4
Updated: 4/16/2024
Vulnerability Publication Date: 2/10/2024
Path : /usr/lib64/python3.7/site-packages/dnspython
Installed version : 1.15.0
Fixed version : 2.6.0rc1
Resolution
The fix is in Photon OS 5, which is included in VCF 9.0
VMware Cloud Foundation 9.0 Release Notes
- To validate the tenable scan run the following commands from vCenter command line.
Login to the vCenter
Change to the root shell in vCenter and run the commands:
rpm -qa |grep dnspython
rpm -ql python3-dnspython-1.15.0-3.ph3.noarch |grep dnspython
Additional Information
Please check published CVE fixes in the vCenter release versions
Please use the URL https://www.broadcom.com/support/vmware-security-advisories > select VMware Cloud Foundation search CVE to find what VMware products are patched for security vulnerabilities
If the CVE vulnerability is not listed then it's not included in that VMware product.
If the vCenter Photon OS is 4.0 the dnspython version should be at 2.0 or higher.
End of Support for Photon OS on vCenter Server
2. Will VMware release a new update of vCenter 7.0 that includes updating Photon OS to version 4 or 5?
VMware will not release a newer Photon OS version on older releases of vCenter including 7.0 & 8.0.
Feedback
