I wanted to discuss a situation where you clueless !!
VMware released an advisory consisting security updates for vulnerabilities @CVE-2022-31696 and CVE-2022-31699 (https://www.vmware.com/security/advisories/VMSA-2022-0030.html).
Now, Tenable published a signature to detect the vulnerability @168828 (https://www.tenable.com/plugins/nessus/168828).
If you check response matrix for CVE-2022-31696 for ESXi 7.0 in VMware's advisory, it says, fixed version is ESXi70U3si-20841705 ("05"). If you click on the link, it will take you to ESXi 7.0 release notes (https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3i-release-notes.html). Now if you scroll down a bit, you can see the download is for ESXi70U3si-20841708 ("08"). The difference between two versions i.e. "05" and "08", is of component and driver updates. "05" has security updates only while "08" has security, component and driver updates. I observed, in few cases, due to hardware dependencies, support teams are not able to upgrade to "08". But, Tenable is detecting "05" version as vulnerable. Since "05" already has security updates, support teams are claiming this detection as false positive.
Now, in counter, Tenable is saying, when go from VMware's advisory to release notes, the download file is for "08". So this is not a false positive. Either there is a typo from VMware or "08" is the correct build.
So yes, if you understood the scenario, such cases also occur. Our support team has reached out to VMware already but not sure how much time VMware will take to address this issue.
Not sure what VMware and Tenable will do, in the interim we are trying to make peace with the support team (ha ha).
Happy Learning !!
No comments:
Post a Comment