Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

VMware vCenter Flaw So Critical, Patches Released for End-of-Life Products

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.

VMware zero-day

Virtualization technology powerhouse VMware is calling urgent attention to a critical remote code execution flaw haunting its vCenter Server and VMware Cloud Foundation products.

The company said the vulnerability, tagged as CVE-2023-34048, allows a malicious hacker with network access to launch remote code execution exploits.

A critical-severity advisory from VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol.  The company flagged the bug with a CVSS severity score of 9.8/10.

Due to the critical nature of this issue, VMware also released patches for older, end-of-life products, including vCenter Server 6.7U3, 6.5U3, VCF 3.x, and vCenter Server 8.0U1. Asynchronous vCenter Server patches for VCF 5.x and 4.x are also available.

The bulletin also documents a second moderate-severity flaw — CVE-2023-34056 — that could lead to the partial disclosure of information.

A malicious actor with non-administrative privileges can exploit this to access unauthorized data, VMware said, urging vCenter Server and Cloud Foundation users to urgently apply the available updates.

In a separate advisory covering security problems in VMware Aria Operations for Logs, the company warned that exploit code for an authentication bypass flaw has been published online, adding to the urgency to apply available patches.

“An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution,” VMWare warned.

Advertisement. Scroll to continue reading.

The VMware Aria Operations for Logs vulnerability, tracked as CVE-2023-34051, carries a maximum CVSSv3 base score of 8.1/10.  

Related: Exploit Code Published for Critical-Severity VMware Security Defect

Related: VMware Patches Major Security Flaws in Network Monitoring Product

Related: VMware Patches Code Execution Vulnerabilities in vCenter Server

Related:VMware Confirms Live Exploits Hitting Just-Patched Security Flaw

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Register

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

Orchid Security has appointed a new Chief Product Officer and three advisors.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.