Security Bulletin: Vulnerabilities in VMware vCenter affect IBM Cloud Pak System (CVE-2022-31697, CVE-2022-31698)

Summary

Vulnerabilities in VMware vCenter affect IBM Cloud Pak System. IBM Cloud Pak System has addressed those vulnerabilities.

Vulnerability Details

CVEID:CVE-2022-31697
**DESCRIPTION:**VMware vCenter Server could allow a local attacker to obtain sensitive information, caused by the logging of credentials in plaintext. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain passwords information, and use this information to launch further attacks against the affected system.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241825 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2022-31698
**DESCRIPTION:**VMware vCenter Server is vulnerable to a denial of service, caused by a flaw in the content library service. By sending a specially-crafted header, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241826 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L)

Affected Products and Versions

Remediation/Fixes

In response to vulnerabilities found in VMware ESXi, Cloud Pak System provides new vCenter Image update to vCenter version 6.7.0 U3s with Cloud Pak System 2.3.3.6.

For IBM Cloud Pak System V2.3.0.1, v2.3.3.0, v.2.3.3.1, v.2.3.3.2, v.2.3.3.3, v2.3.3.3 iFix 1, v2.3.3.4, v2.3.3.5

upgrade to IBM Cloud Pak System v2.3.3.6

Information on upgrading can be found here: http://www.ibm.com/support/docview.wss?uid=ibm10887959.

Workarounds and Mitigations

None