CVE-2022-35802

FAQ

According to the CVSS metric, privileges required is low (PR:L). What privileges are required?

To successfully exploit this vulnerability, an attacker needs to be authorized as a local user on the vulnerable component.

According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?

No special privileges are required to exploit this vulnerability. An attacker needs to have network connectivity to the replication appliance.

According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H) and major loss of integrity (I:H) but have no effect on availability (A:N). What does that mean for this vulnerability?

Exploiting this vulnerability could allow an attacker to disclose encrypted credential and modify data using the credentials, but cannot impact the availability of the service.

What is Azure Site Recovery?

Azure Site Recovery helps ensure business continuity by keeping business apps and workloads running during outages. It is a service but also has a few on-premise components. Please visit this link for more details: About Azure Site Recovery - Azure Site Recovery

To what scenario does this vulnerability apply?

This vulnerability applies to a VMWare-to-Azure scenario. Please visit this link for more details: VMware VM disaster recovery architecture in Azure Site Recovery - Classic - Azure Site Recovery.

What can I do to protect myself from this vulnerability? You can follow the steps here to update to version 9.50

Is there information about new available options?

Yes, please see General availability: Upgrade VMware VMs protected by Site Recovery to modernized experience for more information.