Low
1. Impacted Products
VMware HCX
2. Introduction
An information disclosure vulnerability in VMware HCX was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.
3. Advisory Details
Description
VMware HCX contains an information disclosure vulnerability. VMware has evaluated the severity of this issue to be in the low severity range with a maximum CVSSv3 base score of 2.7.
Known Attack Vectors
A malicious actor with network user access to the VMware HCX appliance may be able to gain access to sensitive information.
Resolution
To remediate CVE-2022-22953 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below.
Workarounds
None.
Additional Documentation
None.
Notes
None.
Acknowledgements
VMware would like to thank Fernando Gallego of NCC Group for reporting this issue to us.
Response Matrix
4. References
Fixed Version(s) and Release Notes:
VMware HCX 4.3.3
Downloads and Documentation:
https://docs.vmware.com/en/VMware-HCX/4.3.3/rn/vmware-hcx-433-release-notes/index.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22953
FIRST CVSSv3 Calculator:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
5. Change Log
2022-06-15 VMSA-2022-0017
Initial security advisory.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
E-mail: security@vmware.com
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2022 VMware Inc. All rights reserved.