Virtualization technology powerhouse VMware is calling urgent attention to a critical remote code execution flaw haunting its vCenter Server and VMware Cloud Foundation products.
The company said the vulnerability, tagged as CVE-2023-34048, allows a malicious hacker with network access to launch remote code execution exploits.
A critical-severity advisory from VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. The company flagged the bug with a CVSS severity score of 9.8/10.
Due to the critical nature of this issue, VMware also released patches for older, end-of-life products, including vCenter Server 6.7U3, 6.5U3, VCF 3.x, and vCenter Server 8.0U1. Asynchronous vCenter Server patches for VCF 5.x and 4.x are also available.
The bulletin also documents a second moderate-severity flaw — CVE-2023-34056 — that could lead to the partial disclosure of information.
A malicious actor with non-administrative privileges can exploit this to access unauthorized data, VMware said, urging vCenter Server and Cloud Foundation users to urgently apply the available updates.
In a separate advisory covering security problems in VMware Aria Operations for Logs, the company warned that exploit code for an authentication bypass flaw has been published online, adding to the urgency to apply available patches.
“An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution,” VMWare warned.
The VMware Aria Operations for Logs vulnerability, tracked as CVE-2023-34051, carries a maximum CVSSv3 base score of 8.1/10.