Virtualization know-how powerhouse VMware is asking pressing consideration to a essential distant code execution flaw haunting its vCenter Server and VMware Cloud Basis merchandise.
The corporate mentioned the vulnerability, tagged as CVE-2023-34048, permits a malicious hacker with community entry to launch distant code execution exploits.
A critical-severity advisory from VMware described the bug as an out-of-bounds write subject in its implementation of the DCE/RPC protocol. The corporate flagged the bug with a CVSS severity rating of 9.8/10.
Because of the essential nature of this subject, VMware additionally launched patches for older, end-of-life merchandise, together with vCenter Server 6.7U3, 6.5U3, VCF 3.x, and vCenter Server 8.0U1. Asynchronous vCenter Server patches for VCF 5.x and 4.x are additionally obtainable.
The bulletin additionally paperwork a second moderate-severity flaw — CVE-2023-34056 — that would result in the partial disclosure of knowledge.
A malicious actor with non-administrative privileges can exploit this to entry unauthorized knowledge, VMware mentioned, urging vCenter Server and Cloud Basis customers to urgently apply the obtainable updates.
In a separate advisory overlaying security issues in VMware Aria Operations for Logs, the corporate warned that exploit code for an authentication bypass flaw has been revealed on-line, including to the urgency to use obtainable patches.
“An unauthenticated, malicious actor can inject recordsdata into the working system of an impacted equipment which can lead to distant code execution,” VMWare warned.
The VMware Aria Operations for Logs vulnerability, tracked as CVE-2023-34051, carries a most CVSSv3 base rating of 8.1/10.
