Security bulletins

From time to time, we might release security bulletins related to Google Cloud VMware Engine. All security bulletins for VMware Engine are described here.

Use this XML feed to subscribe to security bulletins for this page.

GCP-2024-016

Published: 2024-03-05

Description	Severity	Notes
VMware disclosed multiple vulnerabilities in VMSA-2024-0006 that impact ESXi components deployed in customer environments. Google Cloud VMware Engine impact Your private clouds have been updated to address the security vulnerability. What should I do? No action is needed on your part.	Critical	VMSA-2024-0006 CVE-2024-22252 CVE-2024-22253 CVE-2024-22254 CVE-2024-22255

Description

Severity

Notes

VMware disclosed multiple vulnerabilities in VMSA-2024-0006 that impact ESXi components deployed in customer environments.

Google Cloud VMware Engine impact

Your private clouds have been updated to address the security vulnerability.

What should I do?

No action is needed on your part.

Critical

GCP-2023-034

Published: 2023-10-25

Updated: 2023-10-27

Description	Severity	Notes
VMware disclosed multiple vulnerabilities in VMSA-2023-0023 that impact vCenter components deployed in customer environments. Google Cloud VMware Engine impact The vulnerability can be exploited by accessing specific ports in vCenter Server. These ports are not exposed to the public internet. If your vCenter ports 2012/tcp, 2014/tcp, and 2020/tcp are not accessible by untrusted systems, then you are not exposed to this vulnerability. Google has already blocked the vulnerable ports on vCenter server, preventing any potential exploit of this vulnerability. In addition, Google will ensure all future deployments of vCenter server are not exposed to this vulnerability. At the time of the bulletin, VMware is not aware of any exploitation "in the wild". For more details please refer to the VMware documentation for more information. What should I do? No further action is required at this time.	Critical	CVE-2023-34048, CVE-2023-34056

Description

Severity

Notes

VMware disclosed multiple vulnerabilities in VMSA-2023-0023 that impact vCenter components deployed in customer environments.

Google Cloud VMware Engine impact

The vulnerability can be exploited by accessing specific ports in vCenter Server. These ports are not exposed to the public internet.
If your vCenter ports 2012/tcp, 2014/tcp, and 2020/tcp are not accessible by untrusted systems, then you are not exposed to this vulnerability.
Google has already blocked the vulnerable ports on vCenter server, preventing any potential exploit of this vulnerability.
In addition, Google will ensure all future deployments of vCenter server are not exposed to this vulnerability.
At the time of the bulletin, VMware is not aware of any exploitation "in the wild". For more details please refer to the VMware documentation for more information.

What should I do?

No further action is required at this time.

Critical

CVE-2023-34048, CVE-2023-34056

GCP-2023-027

Published: 2023-09-11

Description	Severity	Notes
VMware vCenter Server updates address multiple memory corruption vulnerabilities (CVE-2023-20892, CVE-2023-20893, CVE-2023-20894, CVE-2023-20895, CVE-2023-20896) VMware Engine impact VMware vCenter Server (vCenter Server) and VMware Cloud Foundation (Cloud Foundation). What should I do? Customers are not impacted and no action needs to be taken.	Medium	CVE-2023-20893

Description

Severity

Notes

VMware vCenter Server updates address multiple memory corruption vulnerabilities (CVE-2023-20892, CVE-2023-20893, CVE-2023-20894, CVE-2023-20895, CVE-2023-20896)

VMware Engine impact

VMware vCenter Server (vCenter Server) and VMware Cloud Foundation (Cloud Foundation).

What should I do?

Customers are not impacted and no action needs to be taken.

Medium

CVE-2023-20893

GCP-2023-025

Published: 2023-08-08

Description	Severity	Notes
Intel recently announced Intel Security Advisory INTEL-SA-00828 impacting some of their processor families. You are encouraged to assess your risks based on the advisory. VMware Engine impact Our fleet utilizes the impacted processor families. In our deployment, the entire server is dedicated to one customer. Hence, our deployment model doesn't add any additional risk to your assessment of this vulnerability. We are working with our partners to obtain necessary patches and will be deploying these patches on priority across the fleet using the standard upgrade process in the next several weeks. What should I do? No action is needed on your part, we are working on upgrading all the impacted systems.	High	CVE-2022-40982

Description

Severity

Notes

Intel recently announced Intel Security Advisory INTEL-SA-00828 impacting some of their processor families. You are encouraged to assess your risks based on the advisory.

VMware Engine impact

Our fleet utilizes the impacted processor families. In our deployment, the entire server is dedicated to one customer. Hence, our deployment model doesn't add any additional risk to your assessment of this vulnerability.

We are working with our partners to obtain necessary patches and will be deploying these patches on priority across the fleet using the standard upgrade process in the next several weeks.

What should I do?

No action is needed on your part, we are working on upgrading all the impacted systems.

High

CVE-2022-40982

GCP-2021-023

Published: 2021-09-21

Description	Severity	Notes
Per VMware security advisory VMSA-2021-0020, VMware received reports of multiple vulnerabilities in vCenter. VMware has made updates available to remediate these vulnerabilities in affected VMware products. We have already applied the patches provided by VMware for the vSphere stack to Google Cloud VMware Engine per the VMware security advisory. This update addresses the security vulnerabilities described in CVE-2021-22005, CVE-2021-22006, CVE-2021-22007, CVE-2021-22008, and CVE-2021-22010. Other non-critical security issues will be addressed in the upcoming VMware stack upgrade (per the advance notice sent in July, more details will be provided soon on the specific timeline of the upgrade). VMware Engine impact Based on our investigations, no customers were found to be impacted. What should I do? Because VMware Engine clusters are not affected by this vulnerability, no further action is required.	Critical	VMSA-2021-0020 CVE-2021-22005 CVE-2021-22006 CVE-2021-22007 CVE-2021-22008 CVE-2021-22010

Description

Severity

Notes

Per VMware security advisory VMSA-2021-0020, VMware received reports of multiple vulnerabilities in vCenter. VMware has made updates available to remediate these vulnerabilities in affected VMware products.

We have already applied the patches provided by VMware for the vSphere stack to Google Cloud VMware Engine per the VMware security advisory. This update addresses the security vulnerabilities described in CVE-2021-22005, CVE-2021-22006, CVE-2021-22007, CVE-2021-22008, and CVE-2021-22010. Other non-critical security issues will be addressed in the upcoming VMware stack upgrade (per the advance notice sent in July, more details will be provided soon on the specific timeline of the upgrade).

VMware Engine impact

Based on our investigations, no customers were found to be impacted.

What should I do?

Because VMware Engine clusters are not affected by this vulnerability, no further action is required.

Critical

GCP-2021-010

Published: 2021-05-25

Description	Severity	Notes
Per VMware security advisory VMSA-2021-0010, remote code execution and authentication bypass vulnerabilities in vSphere Client (HTML5) were privately reported to VMware. VMware has made updates available to remediate these vulnerabilities in affected VMware products. We have applied the patches provided by VMware for the vSphere stack per the VMware security advisory. This update addresses security vulnerabilities described in CVE-2021-21985 and CVE-2021-21986. The image versions running in your VMware Engine private cloud don't reflect any change at this time to indicate the patches applied. Please rest assured that appropriate patches have been installed and your environment is secured from these vulnerabilities. VMware Engine impact Based on our investigations, no customers were found to be impacted. What should I do? Because VMware Engine clusters are not affected by this vulnerability, no further action is required.	Critical	VMSA-2021-0010 CVE-2021-21985 CVE-2021-21986

Description

Severity

Notes

Per VMware security advisory VMSA-2021-0010, remote code execution and authentication bypass vulnerabilities in vSphere Client (HTML5) were privately reported to VMware. VMware has made updates available to remediate these vulnerabilities in affected VMware products.

We have applied the patches provided by VMware for the vSphere stack per the VMware security advisory. This update addresses security vulnerabilities described in CVE-2021-21985 and CVE-2021-21986. The image versions running in your VMware Engine private cloud don't reflect any change at this time to indicate the patches applied. Please rest assured that appropriate patches have been installed and your environment is secured from these vulnerabilities.

VMware Engine impact

Based on our investigations, no customers were found to be impacted.

What should I do?

Because VMware Engine clusters are not affected by this vulnerability, no further action is required.

Critical

GCP-2021-002

Published: 2021-03-05

Description	Severity	Notes
Per VMware security advisory VMSA-2021-0002, VMware received reports of multiple vulnerabilities in VMware ESXi and vSphere Client (HTML5). VMware has made updates available to remediate these vulnerabilities in affected VMware products. We have applied the officially documented workarounds for the vSphere stack per the VMware security advisory. This update addresses security vulnerabilities described in CVE-2021-21972, CVE-2021-21973, and CVE-2021-21974. VMware Engine impact Based on our investigations, no customers were found to be impacted. What should I do? Because VMware Engine clusters are not affected by this vulnerability, no further action is required.	Critical	VMSA-2021-0002 CVE-2021-21972 CVE-2021-21973 CVE-2021-21974

Description

Severity

Notes

Per VMware security advisory VMSA-2021-0002, VMware received reports of multiple vulnerabilities in VMware ESXi and vSphere Client (HTML5). VMware has made updates available to remediate these vulnerabilities in affected VMware products.

We have applied the officially documented workarounds for the vSphere stack per the VMware security advisory. This update addresses security vulnerabilities described in CVE-2021-21972, CVE-2021-21973, and CVE-2021-21974.

VMware Engine impact

Based on our investigations, no customers were found to be impacted.

What should I do?

Because VMware Engine clusters are not affected by this vulnerability, no further action is required.

Critical