VCF Response to VMSA-2023-0005
Article ID: 323219
Updated On:
Products
VMware Cloud Foundation
Issue/Introduction
VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. This has been addressed in the following VMSA:
https://www.vmware.com/security/advisories/VMSA-2023-0005.html
https://www.vmware.com/security/advisories/VMSA-2023-0005.html
Environment
VMware Cloud Foundation 4.x
Resolution
To remediate VMSA-2023-0005 in a VMware Cloud Foundation 4.x environment, please upgrade VMware vRealize Orchestrator and/or VMware vRealize Automation to version 8.11.1.
-
Starting with VCF version 4.4, the SDDC Manager no longer manages the upgrades of vRealize components (even if they were originally deployed via SDDC Manager). Refer to VMware Cloud Foundation 4.4 Release Notes for more details.
-
If the user is on a version prior to VCF 4.5, first upgrade to VCF 4.5 or higher.
-
Once on VCF 4.5, upgrade the vRealize Suite Lifecycle Manager in place to version 8.10 or above using the vRSLCM UI. Refer to vRealize Suite Install and Upgrade Paths on VMware Cloud Foundation 4.4 and above for more information on upgrade paths.
-
Use the vRealize Suite Lifecycle Manager to upgrade vRealize Automation to 8.11.1 or higher.
Feedback
Yes
No
Powered by
