Impact of CVE-2024-39894 on VMware vCenter Server Appliance
search cancel

Impact of CVE-2024-39894 on VMware vCenter Server Appliance

book

Article ID: 377358

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

The article provides information regarding the impact of CVE-2024-39894 on VMware vCenter Server Appliance. The vulnerability, CVE-2024-39894, affects OpenSSH versions 9.5 to 9.7, as detailed in the National Vulnerability Database (NVD).

Environment

  • VMware vCenter Server Appliance 8.x

  • VMware vCenter Server Appliance 7.x

  • VMware vCenter Server Appliance 6.x

Cause

As per the CVE-2024-39894 description, OpenSSH versions 9.5 through 9.7 (before 9.8) are vulnerable to timing attacks against echo-off password entry (e.g., for su and Sudo) due to an ObscureKeystrokeTiming logic error. This issue does not affect the VMware vCenter Server Appliance, as the OpenSSH versions utilized are older than the impacted versions.

Resolution

The VMware vCenter Server Appliance is not impacted by CVE-2024-39894. The vulnerability is not applicable because lower versions of the OpenSSH package are natively used across all major releases.

The following OpenSSH versions are utilized by the respective appliance releases:

  • VMware vCenter Server 8.0 U3a utilizes OpenSSH version 8.9p1.

  • VMware vCenter Server 7.0 U3t utilizes OpenSSH version 7.8p1.

  • VMware vCenter Server 6.7 U3v utilizes OpenSSH version 7.4p1.

All updates across VMware vCenter Server versions 6.7, 7.0, and 8.0 utilize OpenSSH version 8.9p1 or lower, which are outside the scope of this vulnerability. The exact version of OpenSSH included in specific updates can be determined by reviewing the VMware vCenter Server Photon OS Security Patches release notes.

Additional Information

Powered by Wolken Software