{
	"id": "56128595-75dd-4ea1-bcba-053e113d621c",
	"created_at": "2026-04-06T03:36:22.725301Z",
	"updated_at": "2026-04-10T03:21:50.041076Z",
	"deleted_at": null,
	"sha1_hash": "ed04077a890f182575689687743654d9a1325bf0",
	"title": "vcf-security-and-compliance-guidelines/security-advisories/vmsa-2024-0019/README.md at main · vmware/vcf-security-and-compliance-guidelines",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 63933,
	"plain_text": "vcf-security-and-compliance-guidelines/security-advisories/vmsa-2024-0019/README.md at main · vmware/vcf-security-and-compliance-guidelines\r\nBy plankers\r\nArchived: 2026-04-06 03:11:36 UTC\r\nVMSA-2024-0019: Questions \u0026 Answers\r\nIntroduction\r\nOn September 17, 2024 Broadcom released a critical VMware Security Advisory (VMSA), VMSA-2024-0019,\r\naddressing security vulnerabilities found and resolved in VMware vCenter. The advisory was updated on October\r\n21, 2024 with updated software packages to address security and functional issues reported after the original\r\ndisclosure.\r\nThe updated advisory contains patches applicable to vCenter 7.0.3, 8.0.2, and 8.0.3. All customers should apply\r\nthese refreshed updates.\r\nThe VMSA will always be the source of truth for what products \u0026 versions are affected and proper patches to\r\nkeep your organization secure. This document is a corollary to the advisory and includes self-service information\r\nto help you and your organization decide how to respond.\r\nThese vulnerabilities are memory management and corruption issues which can be used against VMware vCenter\r\nservices, potentially allowing remote code execution.\r\nYou are affected if you are running any version of vSphere or VMware Cloud Foundation prior to the versions\r\nlisted in the VMSA. Please consult the VMSA itself for the definitive list of affected versions. If you have a\r\nquestion about whether you are affected it is likely that you are, and should take action immediately.\r\nCurrent Update\r\nUpdated at 0930 PDT (-0700) on November 18, 2024.\r\nNext Expected Update\r\nThere is not a regular update schedule for this document; will be updated as needed.\r\nRelevant Links\r\nVMware Security Advisory VMSA-2024-0019 (the security advisory itself)\r\nhttps://github.com/vmware/vcf-security-and-compliance-guidelines/blob/main/security-advisories/vmsa-2024-0019/README.md\r\nPage 1 of 7\n\nVMSA-2024-0019 Questions \u0026 Answers (this document’s link)\r\nvSphere Security Configuration \u0026 Hardening Guides (the reference for hardening VMware vSphere, virtual\r\nmachines, and in-guest settings like VMware Tools)\r\nVMware Cloud Foundation Security Advisories (list of all disclosed security vulnerabilities)\r\nVMware Security Advisory Mailing List (please subscribe for proactive notifications of security advisories)\r\nBest Practices for Patching VMware vSphere (advice for ensuring patching success)\r\nVMware Ports \u0026 Protocols \u0026 VMware vSphere Firewalling Helper (assistance in determining ingress \u0026 egress\r\nfirewall rule sets)\r\nVMware vSphere Critical Patch Downloads (support.broadcom.com)\r\nvSphere Web Client Becomes Unresponsive After Upgrading to vCenter 8 Update 3B (KB and workaround)\r\nWho does this affect?\r\nThese vulnerabilities affect customers who have deployed VMware vCenter. Users of VMware vSphere or\r\nVMware Cloud Foundation running versions older than the fixed versions listed in the VMSA are vulnerable.\r\nFor a definitive list of affected versions, please refer to the VMSA directly. If there is any uncertainty about\r\nwhether a system is affected, it should be presumed vulnerable, and immediate action should be taken.\r\nWhen do I need to act?\r\nThese issues would qualify under ITIL methodologies as an emergency change, requiring prompt action from your\r\norganization. However, the specific response timing depends on your unique circumstances. It is advisable to\r\nconsult immediately with your organization’s information security staff. They will assess the situation and\r\ndetermine the most appropriate course of action for your specific organizational context.\r\nWhat should I do to protect myself?\r\nTo ensure full protection for yourself and your organization, install one of the update versions listed in the\r\nVMware Security Advisory.\r\nWhile other mitigations may be available depending on your organization’s security posture, defense-in-depth\r\nstrategies, and firewall configurations, each organization must evaluate the adequacy of these protections\r\nindependently.\r\nThe most reliable method to address these vulnerabilities is to apply the recommended patches.\r\nWhat products are affected?\r\nVMware vCenter and any products that contain vCenter, including VMware vSphere and VMware Cloud\r\nFoundation.\r\nhttps://github.com/vmware/vcf-security-and-compliance-guidelines/blob/main/security-advisories/vmsa-2024-0019/README.md\r\nPage 2 of 7\n\nWhat CVE numbers are involved in these disclosures?\r\nCVE-2024-38812 and CVE-2024-38813.\r\nWhat is the severity of the vulnerabilities?\r\n9.8 and 7.5, scored using version 3.1 of the Common Vulnerability Scoring Standard (CVSS).\r\nAre there additional details about the vectors of the vulnerabilities?\r\nVMware Security Advisories link to the FIRST CVSS v3.1 calculator, with the vectors pre-filled for the individual\r\nvulnerabilities. This information is found in the ‘References’ section of the advisory.\r\nAre the vulnerabilities being exploited “in the wild?”\r\nBroadcom has confirmed that exploitation has occurred \"in the wild\" for CVE-2024-38812 and CVE-2024-38813.\r\nIf I updated with the initial patches in VMSA-2024-0019 do I need to update with VMSA-2024-\r\n0019.2?\r\nYes. These new updates resolve security and operational issues reported to us after the initial release.\r\nIs the workaround still necessary for the web client issues?\r\nNo, the patches listed in VMSA-2024-0019.2 resolve the web client issues wherever they were present.\r\nIf I did the workaround for the web client issues, do I have to undo it to apply the patches?\r\nNo. Just apply the patch.\r\nDo I have to apply both sets of patches?\r\nSecurity updates are cumulative within a product branch. If you apply the latest patches for a supported version of\r\nvSphere or Cloud Foundation you will have all of the available updates.\r\nDo I have to update VMware vCenter?\r\nYes; vCenter is affected by this VMSA.\r\nSee “Best Practices for Patching VMware vSphere” for guidance on updating vSphere components.\r\nDo I have to update VMware ESXi?\r\nNo; ESXi is not affected by this VMSA.\r\nDo I have to update SDDC Manager?\r\nNo; SDDC Manager is not affected by this VMSA.\r\nhttps://github.com/vmware/vcf-security-and-compliance-guidelines/blob/main/security-advisories/vmsa-2024-0019/README.md\r\nPage 3 of 7\n\nDo I have to update VMware Cloud Foundation Operations or Automation components?\r\nNo; these components are not affected by this VMSA.\r\nDo I have to update VMware NSX?\r\nNo; NSX is not affected by this VMSA. However, there is a recent VMSA that does impact NSX, which you\r\nshould evaluate.\r\nWill there be a patch for VMware Cloud Foundation?\r\nYes, there is an asynchronous patch for VMware Cloud Foundation 4.x and 5.x. Please follow the instructions\r\nlinked in the VMSA itself.\r\nThere was a commitment made to provide critical patches for perpetual-license vSphere\r\ncustomers. How do I download those patches?\r\nOn April 15, 2024, Broadcom announced via blog post that all customers, including those with expired support\r\ncontracts, will have access to all patches for Critical Severity Security Alerts for supported versions of VMware\r\nvSphere. This policy can be found in KB 314603.\r\nThese patches are located on support.broadcom.com. You will need to create an account, which can be done in a\r\nfew minutes and at no cost.\r\n1. Log in and choose “VMware Cloud Foundation” from the drop down menu near the top right.\r\n2. Choose “My Downloads” from the menu on the left.\r\n3. Choose “VMware vSphere” as the product (page two of the list).\r\n4. Choose the “Solutions” tab.\r\n5. Choose the edition and version of vSphere.\r\nA direct link to this location is in the links above. You may need to log in first and then visit the link.\r\nAre there workarounds for these vulnerabilities?\r\nNot as part of this advisory. There may be other mitigations and compensating controls available in your\r\norganization, depending on your security posture, defense-in-depth strategies, and configurations of perimeter\r\nfirewalls and appliance firewalls. All organizations must decide for themselves whether to rely on those\r\nprotections; VMware Global Support (GS) cannot decide for you what is appropriate for your organization.\r\nFor assistance that is tailored to your environment and organization please contact your account team about\r\nVMware Professional Services.\r\nIf I am not using Enhanced Linked Mode am I safe?\r\nNo; the issues in this VMSA are not due to the use of Enhanced Linked Mode (ELM), they are issues with vCenter\r\nitself, and present even if ELM is not in use. Even if you are not using ELM you need to update or take steps to\r\nhttps://github.com/vmware/vcf-security-and-compliance-guidelines/blob/main/security-advisories/vmsa-2024-0019/README.md\r\nPage 4 of 7\n\nmitigate the issues.\r\nIf I am not using Integrated Windows Authentication am I safe?\r\nNo; the issues in this VMSA are not due to the use of Integrated Windows Authentication (IWA), they are issues\r\nwith vCenter itself, and present even if IWA is not in use. Even if you are not using IWA you need to update or\r\ntake steps to mitigate the issues.\r\nWhat versions or builds are affected by these issues?\r\nYou are affected if you are running any version of vCenter prior to the fixed versions listed in the VMSA. Please\r\nconsult the VMSA itself for the definitive list of affected versions. If you have a question about whether you are\r\naffected it is likely that you are, and should take action immediately.\r\nBroadcom always recommends applying the latest updates to all software products.\r\nHow do I check the build or version number of VMware vCenter?\r\nThe build information is available in the Summary tab of the vSphere Client. It can also be queried with\r\nPowerCLI. Once connected using Connect-VIServer, build information is available in the\r\n$global:DefaultVIServer.Build variable (there is also $global:DefaultVIServer.Version).\r\nIf I update vCenter will it affect running workloads?\r\nNo. vCenter is the management interface to a vSphere cluster. You will lose the use of the vSphere Client briefly\r\nduring the update, and other management methods will be similarly impacted, but virtual machine and container\r\nworkloads will be unaffected.\r\nCan I use the vCenter VAMI to apply these updates?\r\nYes, the patch is available through the standard update mechanisms for VMware vSphere and VMware Cloud\r\nFoundation. Consult the product documentation for the version of the product you use.\r\nSee “Best Practices for Patching VMware vSphere” for additional guidance on updating vSphere components.\r\nAre there any known issues with this patch?\r\nThere are no known issues with the updates listed in VMSA-2024-0019.2.\r\nThere was an issue with the original VMSA-2024-0019 update regarding session timeouts when accessing\r\nvCenter (with a workaround at KB 377734.. This is resolved with the re-release.\r\nIf you enable SSH on vCenter in order to implement the workaround, remember to disable it again afterwards.\r\nDoes this impact VMware vSphere 6.5 or 6.7?\r\nhttps://github.com/vmware/vcf-security-and-compliance-guidelines/blob/main/security-advisories/vmsa-2024-0019/README.md\r\nPage 5 of 7\n\nYes. Products that are past their End of General Support dates are not evaluated as part of security advisories. If\r\nyour organization has extended support please use those processes to request assistance.\r\nDo I have to update to vCenter 8.0.3 to receive this patch?\r\nNo. You can update either vCenter 8.0.2 or vCenter 8.0.3.\r\nvSphere 8 Update 3 is considered the best version of vSphere 8 and intended for long-term stability and support.\r\nAll new security updates are built atop vSphere 8 Update 3.\r\nDo I have to update to vCenter 7.0.3 to receive this patch?\r\nYes. vSphere 7 Update 3 was released in January 2022 and is considered the best version of vSphere 7, intended\r\nfor long-term stability and support.\r\nI am using a third-party solution such as HPE SimpliVity, Dell EMC VxRail, and so on. Is it safe\r\nfor me to apply the update?\r\nThird-party engineered systems control their patch levels and configurations as part of their qualification and\r\ntesting processes. Using security guidance that is not explicitly for that product and product version is never\r\nadvised. If you use engineered and integrated solutions please contact those vendors directly for guidance.\r\nBroadcom is not involved in, and cannot speak to, third-party product release schedules.\r\nAre VMware Cloud and hosted products updated?\r\nVMSA information is delivered as a message inside hosted, cloud, and software-as-a-service products where\r\napplicable. Please check the administrative consoles of those services for further relevant messages and details\r\nabout this VMSA.\r\nAdditional questions about the service should be answered through the support processes for that service. Thank\r\nyou.\r\nChange Log\r\nSpecific changes to this document can be easily tracked with GitHub's \"History\" and \"Blame\" functions (buttons\r\nabove).\r\nDisclaimer\r\nThis document is intended to provide general guidance for organizations that are considering Broadcom solutions.\r\nThe information contained in this document is for educational and informational purposes only. This document is\r\nnot intended to provide advice and is provided “AS IS.” Broadcom makes no claims, promises, or guarantees\r\nabout the accuracy, completeness, or adequacy of the information contained herein. Organizations should engage\r\nappropriate legal, business, technical, and audit expertise within their specific organization for review of\r\nrequirements and effectiveness of implementations.\r\nhttps://github.com/vmware/vcf-security-and-compliance-guidelines/blob/main/security-advisories/vmsa-2024-0019/README.md\r\nPage 6 of 7\n\nSource: https://github.com/vmware/vcf-security-and-compliance-guidelines/blob/main/security-advisories/vmsa-2024-0019/README.md\r\nhttps://github.com/vmware/vcf-security-and-compliance-guidelines/blob/main/security-advisories/vmsa-2024-0019/README.md\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://github.com/vmware/vcf-security-and-compliance-guidelines/blob/main/security-advisories/vmsa-2024-0019/README.md"
	],
	"report_names": [
		"README.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775446582,
	"ts_updated_at": 1775791310,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ed04077a890f182575689687743654d9a1325bf0.pdf",
		"text": "https://archive.orkl.eu/ed04077a890f182575689687743654d9a1325bf0.txt",
		"img": "https://archive.orkl.eu/ed04077a890f182575689687743654d9a1325bf0.jpg"
	}
}