On April 15, 2024, Broadcom announced via blog post that all customers, including those with expired support contracts, will have access to all patches for Critical Severity Security Alerts for supported versions of VMware vSphere.
Supported versions of VMware vSphere are versions 7.x and 8.x. Broadcom defines a zero-day security patch as a patch or workaround for Critical Severity Security Alerts with a Common Vulnerability Scoring System (CVSS) score greater than or equal to 9.0.
The VMware Security Response Center discloses Critical Severity alerts through the VMware Security Advisory (VMSA). Customers can continue to get VMSA notifications through the existing processes, such as subscribing to VMSA notifications.
Customers can continue to apply patches through existing product patching mechanisms, including the VMware Support Portal, and after May 6, 2024, by registering or using their existing registration for support.broadcom.com.
Customers should bookmark and follow the VMware Security Response Center (vSRC) which maintains a program to identify, respond and address vulnerabilities. Visit the vSRC at https://www.vmware.com/security/advisories.html
The intent of this article is to help customers that are using VMware vSphere (7.x and 8.x) address the most critical security vulnerabilities. Broadcom will provide all perpetual license customers, including those that have expired support contracts, with access to zero-day security patches, which are defined by Broadcom as patches for Critical Severity Security Alerts with a Common Vulnerability Scoring System (CVSS) score greater than or equal to 9.0. VMware Security Advisories are published on the web here: https://www.vmware.com/security/advisories.html.