Security scans report vulnerabilities (CVEs) for vCenter

VMware vCenter Server Appliance

Security scans (e.g., Qualys, Nessus, Tenable) report vulnerabilities (CVEs) that affects vCenter

Procedure to validate if a reported CVE is a true positive or a false positive, follow these steps:

1. Identify System and OS Version
   • Access the appliance via SSH run: cat /etc/photon-release
2. Verify RPM Package Versions
   • Identify the flagged package from your scan and check the installed version: rpm -qa | grep [package_name]
3. Compare Against Fixed Versions
   • Check the Photon Security Advisory (PHSA) or VMware Security Advisory (VMSA) for the 'Fixed Version' of the package. If the installed version is equal to or higher than the fixed version, the finding is a false positive. If the version is lower, the vulnerability is likely present.
4. Remediation
   • Remediations are delivered through official product releases and patches.
   • Broadcom does not support any manual or explicit modifications to the underlying operating system components and packages inside the VMware appliance.

If further validation is require from Broadcom Support, please provide the following when creating a case:

• Full scan report and scanner vendor details.
• Output of `cat /etc/photon-release`.
• Output of `rpm -qa` from the affected appliance.
• VMware product and version details.

VMware vCenter Server Photon OS Security Patches