CVE-2022-33675

FAQ

How do I install the update to be protected from the CVE-2022-33675 and CVE-2022-33676 vulnerabilities?

Unlike other Azure Site Recovery CVEs, to be protected from this particular vulnerability customers must upgrade to version 9.49 of the Process Server by following the instructions here. Customers must upgrade all process server installations, such as the in-built process server, scale out process server, and scale out process server on Azure (if any). More information about managing the Process Server can be found here.

What is Azure Site Recovery?

Azure Site Recovery helps ensure business continuity by keeping business apps and workloads running during outages. It is a service but also has a few on-premise components. Please visit this link for more details: About Azure Site Recovery - Azure Site Recovery

To what scenario does this vulnerability apply?

This vulnerability applies to a VMWare-to-Azure scenario. Please visit this link for more details: VMware VM disaster recovery architecture in Azure Site Recovery - Classic - Azure Site Recovery.

According to the CVSS metric, the attack vector is local (AV:L). What does this mean for this vulnerability?

The attacker would have to be an authenticated user logged on to the vulnerable system to be able to exploit this vulnerability.

According to the CVSS metric, privileges required is low (PR:L). What privileges are required?

To successfully exploit this vulnerability, an attacker needs to be authorized as a local user on the vulnerable component.