CVE-2020-3994

Name of the Vulnerable Software and Affected Versions: VMware vCenter Server versions 6.7 before 6.7u3, 6.6 before 6.5u3k

Description: The issue is related to a lack of certificate validation in the vCenter Server Appliance Management Interface update function, which can allow a remote attacker to impact the integrity, confidentiality, and availability of protected information. A malicious actor with network positioning between vCenter Server and an update repository may be able to perform a session hijack when the vCenter Server Appliance Management Interface is used to download vCenter updates.

Recommendations: For versions 6.7 before 6.7u3, update to version 6.7u3 or later to resolve the issue. For versions 6.6 before 6.5u3k, update to version 6.5u3k or later to resolve the issue. As a temporary workaround, consider restricting network access to the vCenter Server Appliance Management Interface to minimize the risk of exploitation.