Twisted version vulnerabilities reported on vCenter server
search cancel

Twisted version vulnerabilities reported on vCenter server

book

Article ID: 376639

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

When running a security scan against vCenter Server 8.0.x, the following vulnerabilities might be reported:

CVE-2020-10108 HTTP Request Smuggling Attacks 
CVE-2022-21712 Cookie and Authorization headers are sent when following a cross-origin redirect with twisted.web.client
CVE-2022-24801 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in twisted.web
CVE-2022-39348 NameVirtualHost Host header injection

 

Environment

VMware vCenter Server 8.0.x

Resolution

CVE-2020-10108:

This is a false positive. Despite the HTTP response header mentioning TwistedWeb 19.10.0, Photon OS 4.0, which is used as the operating system for vCenter Server 8.0.x, does use a higher version of TwistedWeb, which is not vulnerable

CVE-2022-21712, CVE-2022-24801, and CVE-2022-39348:

These vulnerabilities have been fixed in vCenter Server 8.0 Update 3e (8.0.3 Patch 5)

If you are currently unable to update vCenter Server to 8.0 U3e, the following workaround steps can be used to mitigate these vulnerabilities by stopping and disabling the VMware POD service:

  1. Open an SSH connection to the vCenter Server Appliance and login with the root account
  2. Stop the vmware-pod service: 
    # service-control --stop vmware-pod
  3. Disable the vmware-pod service: 
    # systemctl disable vmware-pod.service

 

Powered by Wolken Software