In a new security notification, the BSI warns of 2 critical and one highly dangerous vulnerability in VMware Aria Operations for Networks. An attacker could exploit the vulnerabilities to execute arbitrary code or disclose information.
The critical vulnerabilities in VMware Aria Operations for Networks have baseline CVSSv3 scores of 9,8 and 9,1. The highly dangerous vulnerability still has a value of 8,8. The vulnerabilities are described under the CVE designations CVE-2023-20887, CVE-2023-20888, and CVE-2023-20889.
BSI warns of attacks
The BSI calls the vulnerabilities in its Security Advisory WID-SEC-2023-138 and warns against exploitation. VMware already offers updates that close the vulnerabilities. The first 9,8 vulnerability is a command injection vulnerability (CVE-2023-20887). A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack that leads to remote code execution.
The second fix is for an authenticated deserialization vulnerability. VMware has rated the severity of this issue in the critical severity range with a maximum baseline CVSSv3 score of 9,1. An attacker with network access to VMware Aria Operations for Networks and valid Member role credentials could potentially perform a deserialization attack that leads to remote code execution.
The third vulnerability (CVE-2023-20889) can lead to information disclosure. This issue has a baseline CVSSv3 severity of 8,8, which is considered Highly Dangerous.
More at VMware.com
About VMware VMware is driving the world's digital infrastructure with its business software. The company's solutions in the areas of cloud, mobility, network and security provide more than 500.000 corporate customers worldwide with a dynamic and efficient digital basis for their business success. They are supported by the global VMware partner network, consisting of around 75.000 partners. Based in Palo Alto, California, the company has used its technological innovations for both corporate and social purposes for over 20 years. The German office of VMware is located in Munich. Further information can be found at: www.vmware.com/de. VMware and Carbon Black are registered trademarks of VMware, Inc. or its subsidiaries in the United States and other countries.