Mr. Bitterness
As if the Broadcom VMware acquisition wasn't cringeworthy enough...
VMware Security Advisories (VMSAs) are now to be non-public.
You'll need a support portal account to even know that they exist.
https://blogs.vmware.com/security/2024/05/where-did-my-vmware-security-advisories-go.html
May 8, 2024 at 11:28amWeb
Show threadMr. BitternessMay 9, 2024
Apparently you do *NOT* need to log in to the portal to view VMware Security Advisories.
VMware discovered this yesterday.
https://support.broadcom.com/web/ecx/security-advisory
Security Advisory - Support Portal - Broadcom support portal

Support Portal
Show threadMr. BitternessMay 9, 2024

Also, FTR, things that you previously knew as ESXi, Workstation, Fusion, etc. are now called "VMware vCenter Server 7.0"

You get to these advisories by clicking on the link for "VMware Cloud Foundation":
https://support.broadcom.com/web/ecx/security-advisory?segment=VC

Looks like this acquisition is going swimmingly.

Security Advisory - Support Portal - Broadcom support portal

Support Portal
Show threadMartin Boller     May 8, 2024
@wdormann Continuous enshittification.
Show threadJessica D DooleyMay 8, 2024
@wdormann this is both dumbfounding and completely unsurprising.
Show threadSecuropeanMay 8, 2024
@wdormann Completely unacceptable.
Show threadmerikssonMay 8, 2024

@wdormann wow, just … wow…

#letthatshipsinkFFS

Show threadNosirrahSec 🏴‍☠️ guillotine enthusiastMay 8, 2024
@wdormann I almost want to go to the next VMUG meeting in Boston and just fucking lay into them.
Show threadMr. BitternessMay 8, 2024
@NosirrahSec
Something tells me they won't care.
Show threadNosirrahSec 🏴‍☠️ guillotine enthusiastMay 8, 2024

@wdormann Of course not, and they won't be able to do shit about anything.

It will make me feel better for all the wasted time, effort, and pain they've caused.

Show threadgordsecMay 8, 2024
@wdormann ffs, I can't think of a reason other than financial.
Show threadCarlos O'DonellMay 8, 2024
@wdormann VMWare is a CNA in the MITRE CNA program and the CNA v4.0 rules require one public reference for CVEs e.g. "5.1.10 MUST contain at least one public reference (see 5.3)." and "5.3.3.1 SHOULD NOT require registration or login, and" ... guess it's not a "MUST NOT" :/
Show threadschrotthaufenMay 9, 2024
@codonell @wdormann It’s a pity they used “should not” for that. “[…] the full implications should be understood and the case carefully weighed before implementing any behavior described with this label.” I guess they didn’t think about the implications hard enough.
Show threadCarlos O'DonellMay 9, 2024
@schrotthaufen @wdormann @msw Matt, Any idea why we used "SHOULD NOT" here for the public reference portion? In the interest of cybersecurity and entire ecosystem I would like to have seen 5.3.3.1 be "MUST NOT"
Show threadMr. BitternessMay 9, 2024
@codonell @schrotthaufen @msw
Per CVE rules, it's perfectly fine for a CVE reference to require a login.
As long as you don't have to be a paying customer or have other restrictions.
Show threadExecMay 9, 2024
@wdormann The post seems to be updated since then with a table of links to advisories available without login
Show threadChristopher SnowhillMay 9, 2024
@wdormann Truly security by obscurity is the best option.