NSX for vSphere 6.4.14 addresses VMSA-2022-0027
search cancel

NSX for vSphere 6.4.14 addresses VMSA-2022-0027

book

Article ID: 318550

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

As documented in VMSA-2022-0027, all versions for VMware NSX Data Center for vSphere (NSX-v)  prior to NSX-v 6.4.14 Manager appliances are affected by the vulnerabilities listed in the advisory, CVE-2021-39144.
The impacted component is the NSX-v Manager, other NSX-v appliances are not impacted by the security vulnerability.


Environment

VMware NSX Data Center for vSphere 6.4.x

Resolution

VMware have released NSX for vSphere 6.4.14 to address this issue.



General Questions

Q. How does this vulnerability impact the NSX-v Manager?

A. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. A malicious actor with network access to the NSX-v Manager appliance can take full control of NSX-v Manager.

Q. With this release, is VMware extending the End of General Support date past 2022-01-16?
A. No, the End of General Support date for NSX-v still stands as 2022-01-16.

Q. NSX-v is End of General Support, why has VMware released a security patch for this product?
A. Please note NSX-v is an End of General Support product as of 2022-01-16, this patch has been released as an exception in line with VMware Technical Guidance policies. 

Q. I run standalone NSX-v without VCF, is my environment impacted?
A. All configurations of NSX-v are impacted.

Q. I am running an older version of NSX-v, am I impacted?
A. Yes, all versions prior to 6.4.14 are impacted.

Q. Can I upgrade directly to NSX-v 6.4.14?
A. For upgrade version compatibility please refer to the Product Interoperability Matrix.
    For earlier versions please refer to this KB Direct upgrade to NSX-V 6.4.10 and higher fails from NSX-V 6.4.2, 6.4.3, 6.4.4, and 6.4.5 versions.

Q. We have a change freeze and cannot upgrade, is a workaround available?
A. There is no in-product workaround possible, the only possible remediation is an upgrade of NSX-v. VMware Support will not be engaging on alternative mitigations.

Q. We have migrated from NSX-v to NSX-T, is the environment impacted?
A. NSX-T is not impacted by this issue.

Q. Is NSX-v 6.4.14 a full upgrade?
A. NSX-v 6.4.14 is a full component upgrade as it also contains additional fixes, please see the Release Notes for further details.

Q. If the Manager is the only component impacted by this vulnerability, can the Manager be upgraded without upgrading other NSX-v components?
A. For customers running on 6.4.12 or 6.4.13, VMware will support a partial upgrade to 6.4.14 involving Manager only. Other NSX-v components may remain pending upgrade indefinitely.
    For customers running on earlier versions of NSV-v, prior to 6.4.12, standard upgrade guidance applies and VMware's recommendation is to fully complete the upgrade.

Q. How do I address this issue in a VCF environment?
A. Please see Applying NSX-V 6.4.14 patch on VMware Cloud Foundation 3.x

Q. Will upgrading to NSX-v 6.4.14 impact my future NSX-T migration plans?
A. Migration from NSX-v 6.4.14 to NSX-T is fully supported.

Q. After completing the Manager only upgrade to 6.4.14, is it supported to start a migration to NSX-T while other NSX-v components remain on either 6.4.12 or 6.4.13?
A. Yes, the migration to NSX-T is supported in this configuration.

Q. We have already started the migration to NSX-T using Migration Coordinator from 6.4.12/6.4.13, can we upgrade the NSX-v Manager only to 6.4.14?
A. Once migration is in progress, it is not recommended to upgrade NSX-v. VMware recommends to prioritise completing the migration to NSX-T which is not impacted by this security vulnerability.

Additional Information

Change Log:
  • October 28th - KB published
  • October 29th - KB updated to support Manager only upgrades to 6.4.14 from 6.4.12 and 6.4.13 
  • November 1st - KB updated with migration to NSX-T support information