VMware vCenter Server Flaw Let Attacker Execute Remote Code
VMware has been discovered with two vulnerabilities, CVE-2023-34048 and CVE-2023-34056, which were related with Out-of-Bounds Write and Partial Info Disclosure. The severity of these vulnerabilities became as soon as 9.8 (Valuable) and 4.3 (Medium).
Each and each of these vulnerabilities existed on the VMware vCenter Server, a Server Administration Diagram for managing virtual machines, ESXi hosts, and all rather about a parts from a centralized build.
VMware has mounted these vulnerabilities and has launched a security advisory addressing these vulnerabilities.
CVE-2023-34048: VMware Out-of-Bounds Write Vulnerability
This vulnerability will most certainly be exploited by an attacker with community entry to the vCenter Server, which might per chance moreover lead to out-of-bounds write vulnerability, potentially main to a ways away code execution. The severity of this vulnerability has been given as 9.8 (Valuable).
This vulnerability has no workarounds, primarily based mostly on VMware’s safety advisory.
CVE-2023-34056: VMware Info Disclosure Vulnerability
A threat actor can exploit this vulnerability with non-admin privileges to entry unauthorized recordsdata. The severity for this vulnerability has been given as 4.3 (Medium).
Affected Products
Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fastened Version | Workarounds | Additional Documentation |
VMware vCenter Server | 8 | Any | CVE-2023-34048, CVE-2023-34056 | 9.8, 4.3 | Valuable | 8.0U2 | None | FAQ |
VMware vCenter Server | 8 | Any | CVE-2023-34048 | 9.8 | Valuable | 8.0U1d | None | FAQ |
VMware vCenter Server | 7 | Any | CVE-2023-34048, CVE-2023-34056 | 9.8, 4.3 | Valuable | 7.0U3o | None | FAQ |
VMware Cloud Foundation (VMware vCenter Server) | 5.x, 4.x | Any | CVE-2023-34048, CVE-2023-34056 | 9.8, 4.3 | Valuable | KB88287 | None | FAQ |
Users of these products are suggested to upgrade to essentially the most contemporary versions to forestall these vulnerabilities from getting exploited.
Source credit : cybersecuritynews.com