We've recently upgraded our Lab to latest 10.6 version of Cloud Director and to latest VBR and VBEM (12.1.2.172).
I've updated the plugin inside Cloud Director, but tenants are not able to reach VBR. I've tried to reestablish connection to Cloud Director using VBR and facing this issue:
Version 10.6 will be supported in next release / update? There is no w/a except downgrading version of Cloud Director?
Yes, it's not supported yet. Our general goal is to provide support within +/- 90 days of GA release (depends how much we need to change in our code).
You can check this KB for our official support statement regarding vCD builds: https://www.veeam.com/kb4488
If I understand the CVE correctly, then this CVE has a score of 4.9 and vulnerability requires a logged in tenant administrator. An attacker would have first to know the admin credentials. Such login could the. lead to an accidental config change which may lead to a denial of service situation for only this organization.
I assume, if an attacker has tenant admin credentials, he could do much more damage. He could just delete all VMs and vApps instead of trying to produce a denial of service attack. The new version 10.6 of VCD wouldn‘t protect against that.
Known Attack Vectors:
An authenticated tenant administrator for a given organization within VMware Cloud Director may be able to accidentally disable their organization leading to a Denial of Service for active sessions within their own organization's scope.
pascalsaul wrote: ↑Jul 07, 2024 8:02 amThere is no time to wait since we NEED to patch.
I suppose you could also open a support case with VMware and request the patch for the previous Cloud Director version you're using. But official support for 10.6 needs time due to API changes on VMware side, which requires rewriting some code and performing regression testing on all affected functionality following these code changes.
The issue is essentially a tenant admin accidentally disabling an ORG which stops anyone accessing that one ORG. *If* that happens (which I suspect could have happened for years now), you just re-enable that ORG and giggle at the person who did that.
From what I understand, it doesn't impact the entire VCD platform, so you should be fine to fix it manually (re-enable the ORG).
While I'd love for Veeam to support 10.6, this CVE isn't a reason to panic.
