Broadcom VMware Cloud Foundation Division response to CVE-2024-6387 - OpenSSH signal handler race condition vulnerability
book
Article ID: 371126
calendar_today
Updated On:
Products
VMware Cloud Foundation
Issue/Introduction
On Monday July 1st, 2024 details were published on CVE-2024-6387 - a signal handler race condition vulnerability in OpenSSH. The Broadcom Product Security and Incident Response Team (PSIRT) - VMware Cloud Foundation Division (VCFD) has evaluated this vulnerability and its impact on VMware Cloud Foundation products.
VMware HCX WAN Optimization Appliance (WAN-OPT) 4.9.1
VMware HCX Sentinel Data Receiver Appliance (SDR) 4.9.1
VMware HCX Sentinel Gateway Appliance (SGW) 4.9.1
Potentially Impacted (ships with vulnerable versions of OpenSSH, but are 64-bit):
ESXi 8.x
ESXi 7.x
vCenter Server 8.x
Aria Operations 8.18.x
Aria Operations 8.17.x
Aria Operations 8.16.x
Aria Operations 8.14.x
Aria Operations for Logs 8.18.x
Aria Operations for Logs 8.16.x
Aria Operations for Logs 8.14.x
Aria Automation 8.18.x
Aria Automation 8.17.x
Aria Automation 8.16.x
Aria Automation Orchestrator 8.18.x
Aria Automation Orchestrator 8.17.x
Aria Automation Orchestrator 8.16.x
VCF SDDC Manager 5.2.x
VCF SDDC Manager 5.1.x
VMware Cloud Director 10.6
VMware TKrs 1.29.4 (Photon & Ubuntu)
VMware TKrs 1.28.8 (Photon & Ubuntu)
VMware TKrs 1.27.11 (Ubuntu)
VMware Site Recovery Manager 9.x
VMware Site Recovery Manager 8.8.x
VMware vSphere Replication 9.x
VMware vSphere Replication 8.8.x
VMware vCloud Usage Meter 4.8.x
VMware Cloud Provider Lifecycle Manager 1.7.x
VMware HCX Manager 4.9.1
Impacted (ship vulnerable versions of OpenSSH and are 32-bit)
None
Resolution
Workarounds
The VMware Cloud Foundation Division continues to recommend that SSH should remain disabled (disabled by default) in production environments. Please see product-specific documentation for details on how to disable SSH if it has been enabled. Alternative workarounds are not recommended and may have functional impacts on a product if implemented without published instructions. If additional workarounds are tested and approved they will be mentioned in the 'Product Impact' section above.
Resolution
Regardless of the exploitability of CVE-2024-6387; VMware Cloud Foundation products will consume versions of OpenSSH that are not potentially vulnerable to CVE-2024-6387 in previously scheduled future releases.
This is an ongoing event, please subscribe to receive updates when this article is updated.
Additional Information
Changelog:
07/01/2024 - Initial Publication
07/02/2024 - Added products to Not Impacted and Potentially Impacted sections
VMware Aria Operations for Logs
VCF SDDC Manager
VMware Cloud Director
NSX & NSX-T Datacenter
VMware Identity Manager
07/03/2024 - Added products to Not Impacted and Potentially Impacted sections
VMware Aria Automation
VMware Automation Orchestrator
VMware TKrs
07/04/2024 - Added products to Not Impacted and Potentially Impacted sections
VMware Cloud Provider Lifecycle Manager
Usage Meter
VMware Site Recover Manager
VMware vSphere Replication
07/05/2024 - Added products to Not Impacted section
VMware Cloud Provider Lifecycle Manager
07/08/2024 - Added products to Not Impacted and Potentially Impacted sections
VMware HCX
9/9/2024 - No changes, republishing due to search issue to see if reindex fixes.