Release Notes
| Product | Version | Release Date | Release Notes |
|---|---|---|---|
| vCenter Server (VMSA-2024-0019.2) | 7.0 u3t | 10/21/24 | Release Notes |
| vCenter Server (VMSA-2024-0019.2) | 8.0 u2e | 10/21/24 | Release Notes |
| vCenter Server (VMSA-2024-0019.2) | 8.0 u3d | 10/21/24 | Release Notes |
VCF BOM
| Product | Version | Release Date | Build Number | Release Notes |
|---|---|---|---|---|
| Cloud Builder VM | 5.2.1 | 10/09 | 24307856 | Release Notes |
| SDDC Manager | 5.2.1 | 10/09 | 24307856 | Releae Notses |
| vCenter Server | 8.0 u3c | 10/09 | 24305161 | Release Notes |
| VMware ESXi | 8.0 u3b | 09/17 | 24280767 | Release Notes |
| vSAN Witness | 8.0u3b | 09/17 | 24280767 | Release Notes |
| NSX | 4.2.1 | 10/09 | 24304122 | Release Notes |
| Aria Suite Lifecycle | 8.18 | 07/23 | 24029603 | Release Notes |
Security Advisory
VMSA-2024-0021 [HIGH][HCX][CVSSv3: 8.8]
CVE(s)
- Authenticated SQL injection in VMware HCX (CVE-2024-38814)
- VMware NSX local privilege escalation vulnerability (CVE-2024-38818)
- VMware NSX content spoofing vulnerability (CVE-2024-38815)
Description:
VMware HCX contains an authenticated SQL injection vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8. A malicious authenticated user with non-administrator privileges may be able to enter specially crafted SQL queries and perform unauthorized remote code execution on the HCX manager. To remediate CVE-2024-38814 apply the patches listed in the ‚Fixed Version‘ column of the ‚Response Matrix‘ found below. VMware would like to thank Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative (ZDI) for reporting this issue to us.
Response Matrix:
| Version | CVE | Fixed Version | Workaround |
|---|---|---|---|
| 4.10.x | CVE-2024-38814 | 4.10.1 | None |
| 4.9.x | CVE-2024-38814 | 4.9.2 | None |
| 4.8.x | CVE-2024-38814 | 4.8.3 | None |
Knowledge Base Article
| Subject | KB Article |
|---|---|
| VMware Aria Operations upgrade from 8.17 to 8.18.1 fails with the error “error: Failedresource key=pak_manager.action_failed, resource args=[run sql db upgrade]“ | 380654 |
| Migration/Downtime for Aria Operations for Networks Appliance Registration server | 380652 |
| Reconnecting a failed host Returns the error „Credentials for host need to be specified“ | 380641 |
| Can’t enable vSAN Performance Service on a new vSAN cluster | 380597 |
| VM vNIC in disconnected state from VC UI. | 380565 |
| SCSI Host Status H:0x7 observed in the vmkernel logs | 380530 |
| NSX Manager reports Node Agent is down | 380524 |
| ESXi hosts disconnecting after changing IP address of vCenter | 380515 |
| Creating a segment on the NSX-T Manger is it not displayed on vCenter | 380490 |
| Dynatrace shows following warning: VMware ESX server availability less than 90% | 380471 |
| VMware Identity Manager: where there is a large number of psql database timeout errors waiting for the DC to respond, the vIDM system may be unable to provide authentication for users. | 380427 |
| ESXi Host Domain Join Fails with LW_ERROR_DOMAIN_IS_OFFLINE Error | 380409 |
| NCP authentication fails when using a complex password. Error: Authentication Failed: Empty Password | 380369 |
| Unable to collect metrics for F5 BIG IP load balancer in Aria Operations for Networks. | 380345 |
| During the update of vSAN Witness host, the files cannot be downloaded to the host | 380311 |
| Unexpected reboot of ESXi hosts | 380152 |
| Unable to remove missing resources from the deployment. | 380143 |
| How to manage vSphere replication solution in cluster image manually | 380129 |
| How to prevent passwords leaking when using pillar data of salt. | 380125 |
| VMware vCenter Converter Standalone xfs filesystem options support | 380112 |
| Flow metrics in Aria Operations for Networks are showing unexpected values in Terabytes/Petabytes | 380107 |
| Credential in Aria Operations cannot be edited | 380100 |