Cryptographic issues in vCenter Server Appliance - CVE-2014-8371
Published: December 8, 2014 / Updated: August 9, 2020
Vulnerability identifier: #VU41033
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2014-8371
CWE-ID: CWE-310
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: VMware, Inc
Affected software:
vCenter Server Appliance
vCenter Server Appliance
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to manipulate data.
VMware vCenter Server Appliance (vCSA) 5.5 before Update 2, 5.1 before Update 3, and 5.0 before Update 3c does not properly validate certificates when connecting to a CIM Server on an ESXi host, which allows man-in-the-middle attackers to spoof CIM servers via a crafted certificate.
How to mitigate CVE-2014-8371
Install update from vendor's website.