CVE-2022-35776

FAQ

According to the CVSS score, the attack vector is adjacent (AV:A). What does this mean for this vulnerability?

Exploiting this vulnerability requires an attacker to be within the VNET associated with the vulnerable configuration server.

According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

The vulnerability is in the configuration server but also impacts the process server.

According to the CVSS metric, privileges required is high (PR:H). What privileges does an attacker require to exploit this vulnerability?

Successful exploitation of this vulnerability requires an attacker to compromise admin credentials to one of the VMs associated with the configuration server.

What is Azure Site Recovery?

Azure Site Recovery helps ensure business continuity by keeping business apps and workloads running during outages. It is a service but also has a few on-premise components. Please visit this link for more details: About Azure Site Recovery - Azure Site Recovery

To what scenario does this vulnerability apply?

This vulnerability applies to a VMWare-to-Azure scenario. Please visit this link for more details: VMware VM disaster recovery architecture in Azure Site Recovery - Classic - Azure Site Recovery.

What can I do to protect myself from this vulnerability? You can follow the steps here to update to version 9.50

Is there information about new available options?

Yes, please see General availability: Upgrade VMware VMs protected by Site Recovery to modernized experience for more information.