VMSA-2022-0003:VMware Cloud Foundation contains an information disclosure vulnerability due to the logging of plaintext credentials within some log files
23629
12 February 2022
29 January 2022
CLOSED
MEDIUM
6.0
CVE-2022-22939
1. Impacted Products
VMware Cloud Foundation (Cloud Foundation)
2. Introduction
An Information disclosure vulnerability in VMware Cloud Foundation SDDC Manager was discovered. Updates are available to remediate this vulnerability in VMware Cloud Foundation.
3. Information disclosure vulnerability in VMware Cloud Foundation SDDC Manager (CVE-2022-22939)
Description
VMware Cloud Foundation contains an information disclosure vulnerability due to logging of credentials in plain-text within multiple log files on the SDDC Manager.
Known Attack Vectors
A malicious actor with root access on VMware Cloud Foundation SDDC Manager may be able to view credentials in plaintext within one or more log files.
Resolution
To remediate CVE-2022-22939 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.
Workarounds
Workarounds for CVE-2022-22939 have been listed in the 'Workarounds' column of the 'Response Matrix' below.
Additional Documentation
None.
Notes
None.
Acknowledgements
None.
Response Matrix
4. References
Fixed Version(s) and Release Notes:
VMware vCloud Foundation 4.x
Downloads and Documentation:
VMware vCloud Foundation 3.x
Downloads and Documentation:
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22939
FIRST CVSSv3 Calculator:
CVE-2022-22939: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
5. Change Log
2022-01-31 VMSA-2022-0003
Initial security advisory.
2022-02-14 VMSA-2022-0003.1
Updated security advisory to add VMware Cloud Foundation 3.11 version in the response matrix of Section 3.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
E-mail: [email protected]
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2022 VMware Inc. All rights reserved.