Security News > 2020 > November > VMware Issues Updated Fix For Critical ESXi Flaw
VMware issued an updated fix for a critical-severity remote code execution flaw in its ESXi hypervisor products.
"Updated patch versions in the response matrix of section 3a after release of ESXi patches that completed the incomplete fix for CVE-2020-3992 on 2020-11-04," said Oracle's updated advisory.
The flaw exists in the OpenSLP feature of VMware ESXi.
While before the advisory said the flaw affects ESXi versions 6.5, 6.7 and 7.0; affected products have now been updated to include ESXi implementations on the VMware Cloud Foundation 3.x and 4.x. VMware Cloud Foundation is the hybrid cloud platform for managing VMs and orchestrating containers, built on full-stack hyperconverged infrastructure technology.
While ESXi users can update to fixed versions ESXi70U1a-17119627, ESXi670-202011301-SG and ESXi650-202011401-SG, a patch is still "Pending" for affected VMware Cloud Foundation versions.
News URL
https://threatpost.com/vmware-updated-fix-critical-esxi-flaw/160944/
Related news
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- VMware fixes critical vCenter Server RCE bug – again! (CVE-2024-38812) (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- VMware fixes critical RCE, make-me-root bugs in vCenter - for the second time (source)
- Week in review: Fortinet patches critical FortiManager 0-day, VMware fixes vCenter Server RCE (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-10-20 | CVE-2020-3992 | Use After Free vulnerability in VMWare Esxi 6.5/6.7 OpenSLP as used in VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202010401-SG, 6.5 before ESXi650-202010401-SG) has a use-after-free issue. | 9.8 |