vCenter 7 and Apache Tomcat CVE-2023-24998, CVE-2023-28709
search cancel

vCenter 7 and Apache Tomcat CVE-2023-24998, CVE-2023-28709

book

Article ID: 392422

calendar_today

Updated On: 04-16-2025

Products

VMware vCenter Server 7.0

Issue/Introduction

During third party security scan, it's detected CVE-2023-24998, CVE-2023-28709 with vCenter 7.0U3k (build#21290409)

Environment

vCenter 7.0.3

Cause

1.These two CVEs were related with Apache Tomcat.

    CVE-2023-28709 was the subsequent of CVE-2023-24998.

2.The vCenter 7.0U3k(build#21290409) include the Apache Tomcat package with ver 8.5.78 which hit the CVE.  

    Then it's detected by the third party security scan.

Resolution

1.The Apache Tomcat ver 8.5.88 is include the fixed code for the CVE-2023-24998 and CVE-2023-28709.

Refer Apache Tomcat release notes:

https://tomcat.apache.org/security-8.html

--Fixed in Apache Tomcat 8.5.85
Important: Apache Tomcat denial of service CVE-2023-24998

--Fixed in Apache Tomcat 8.5.88
Moderate: Apache Tomcat denial of service CVE-2023-28709

2.In the vCenter 7.0U3q (build#23788036) appliance, the "apache-tomcat  8.5.88-2.ph3" was included.

It's suggested to update to vCenter 7.0U3q or latest version to react the third party security scan.

VMware vCenter Server Photon OS Security Patches
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/7-0/release-notes/vcenter-server-appliance-photonos-security-patches.html
vCenter Server 7.0 Update 3q, 21 May 2024, 23788036
apache-tomcat    8.5.88-2.ph3    CVE-2023-28709

Additional Information

These CVEs didn't list in VMSA(VMware Security Advisories).

https://www.broadcom.com/support/vmware-security-advisories

Powered by Wolken Software