When performing a Vulnerability Assessment and Penetration Test (VAPT) the test may report security vulnerabilities (CVEs) identified in underlying open-source libraries or components of the Photon OS that VMware product appliances, such as VMware Cloud Director Availability (VCDA) and VMware Cloud Director (VCD), are built upon. Security scans or audits indicate that certain packages within these appliance's operating systems are outdated or contain known vulnerabilities.

VMware Cloud Director 10.x

VMware Cloud Director Availability 4.7

VMware Cloud Director Availability (VCDA) and VMware Cloud Director (VCD) appliances are deployed as pre-configured virtual appliances built on a hardened and customized version of Photon OS. To ensure the stability, compatibility, and integrity of the integrated application, updates to the underlying Photon OS packages (including those addressing CVEs in third-party libraries) are managed and integrated exclusively during the official product release cycle.

• Unsupported Manual Updates: Manually attempting to update individual Photon OS packages (e.g., using tdnf or rpm) on a running VCDA or VCD appliance, outside of an official product upgrade process, is not supported.
• Risk of Instability: Such manual modifications can lead to unforeseen regressions, functional breakdowns, system instability, and may render the appliance unsupported due to potential conflicts with the application's specific dependencies and configurations.

Vulnerability remediation for the underlying operating system and bundled components of VMware product appliances is delivered through new, official product releases.

• Each new product release incorporates thoroughly tested and validated versions of Photon OS and its associated packages, incorporating the latest available security fixes and component updates at the time of the release build.
• Customers should plan to upgrade their deployments to the latest available official version to benefit from these security updates.
• The resolution for specific reported vulnerabilities will therefore be available in a future product release that includes the updated component versions, as verified and tested by the product development team.