VMware, a leading innovator in enterprise software, has recently issued updates to tackle two significant vulnerabilities in its vCenter Server and VMware Cloud Foundation products. These updates come in response to vulnerabilities identified as CVE-2023-34048 and CVE-2023-34056.
Critical Out-of-Bounds Write Flaw (CVE-2023-34048)
The more severe of the two, CVE-2023-34048, is an out-of-bounds write vulnerability within the DCERPC protocol implementation in vCenter Server. Rated with a maximum CVSSv3 base score of 9.8, marking it as critical, this flaw could potentially allow a malicious actor with network access to execute remote code. VMware has released patches for various versions of vCenter Server and VMware Cloud Foundation to mitigate this risk. Unfortunately, no in-product workarounds are viable for this issue.
Moderate Severity Information Disclosure (CVE-2023-34056)
The second vulnerability, CVE-2023-34056, involves partial information disclosure in vCenter Server. This vulnerability is considered moderate severity with a CVSSv3 base score of 4.3. It could allow a non-administrative user unauthorized access to data. Like the former, VMware recommends applying the listed updates to address this vulnerability.
Proactive Measures and Acknowledgements
VMware’s proactive approach to these vulnerabilities showcases their commitment to security. They have also provided additional documentation and FAQs for further clarification. Notably, exploitation of CVE-2023-34048 has been confirmed in the wild. The company extends its gratitude to Grigory Dorodnov of Trend Micro Zero Day Initiative and Oleg Moshkov of Deiteriy Lab OÜ for their respective contributions in reporting these issues.
For detailed information, users are encouraged to refer to the official VMware advisory and apply the necessary updates to ensure the security and integrity of their systems.
roduct | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
VMware vCenter Server | 8.0 | Any | CVE-2023-34048, CVE-2023-34056 | 9.8, 4.3 | Critical | 8.0U2 | None | FAQ |
VMware vCenter Server | 8.0 | Any | CVE-2023-34048 | 9.8 | Critical | 8.0U1d | None | FAQ |
VMware vCenter Server | 7.0 | Any | CVE-2023-34048, CVE-2023-34056 | 9.8, 4.3 | Critical | 7.0U3o | None | FAQ |
VMware Cloud Foundation (VMware vCenter Server) | 5.x, 4.x | Any | CVE-2023-34048, CVE-2023-34056 | 9.8, 4.3 | Critical | KB88287 | None | FAQ |