Take Control of Your
Multi-Cloud Environment

• VMware ESXi
• VMware vCenter Server (vCenter Server) 
• VMware Cloud Foundation (Cloud Foundation) 

A partial denial of service vulnerability in VMware ESXi and vCenter Server was privately reported to VMware. Patches and updates are available to remediate these vulnerabilities in affected VMware products.

VMware ESXi and vCenter Server contain a partial denial of service vulnerability in their respective authentication services. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

A malicious actor with network access to ESXi or vCenter may be able to exploit this vulnerability to exhaust memory resources resulting in a degradation of performance condition while the attack is sustained.

To remediate CVE-2020-3976 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

None.

None.

VMware would like to thank weinull of Orz Team for reporting this issue to us.

None.

Downloads and Documentation:

VMware ESXi Patch Release 7.0b

https://my.vmware.com/group/vmware/patch

https://docs.vmware.com/en/VMware-vSphere/7.0/rn/esxi70b.html

VMware ESXi 6.7 ESXi670-202008101-SG and ESXi670-202008401-BG

https://my.vmware.com/group/vmware/patch

VMware ESXi 6.5 ESXi650-202007101-SG and ESXi650-202007401-BG

https://my.vmware.com/group/vmware/patch

https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202007001.html

vCenter Server 7.0.0b

https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VC700B&productId=974&rPId=50093

https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-700b-release-notes.html

vCenter Server 6.7u3j

https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VC67U3J&productId=742&rPId=50446

https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3j-release-notes.html

vCenter Server 6.5u3k

https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VC65U3K&productId=614&rPId=50173

https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u3k-release-notes.html

VMware Cloud Foundation 4.0.1

https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VCF401&productId=1015&rPId=48125

VMware Cloud Foundation 3.10.0

https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VCF310&productId=1001&rPId=46540

VMware Cloud Foundation 3.10.1

https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VCF3101&productId=1001&rPId=51823

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3976

FIRST CVSSv3 Calculator:
CVE-2020-3976 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

2020-08-20 VMSA-2020-0018

Initial security advisory.

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 

This Security Advisory is posted to the following lists:  

security-announce@lists.vmware.com  

bugtraq@securityfocus.com  

fulldisclosure@seclists.org 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055 

VMware Security Advisories

https://www.vmware.com/security/advisories 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

Twitter

https://twitter.com/VMwareSRC

Copyright 2020 VMware Inc. All rights reserved.