- 178/2023
- Medium
VMware has released security updates to fix multiple vulnerabilities in VMware SD-Wan and Tanzu Application Service.
The addressed vulnerabilities could allow the remote attacker to obtain sensitive information, caused by improper authentication in SD-Wan and logging credentials in hex encoding in platform system audit logs in VMware Tanzu Application.
Sample of the addressed vulnerabilities:
VMware Tanzu Application Service for VMs and VMware Isolation Segment Information Disclosure Vulnerability (CVE-2023-20891):
- CVSS: 6.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Obtain Information
Affected Products:
- VMware SD-WAN (Edge) (5.x.x, 4.5.x).
- VMware Tanzu Isolation Segment (4.0.x, 3.0.x, 2.13.x, 2.11.x).
- VMware Tanzu Application Service for VMs (4.0.x, 3.0.x, 2.13.x, 2.11.x).
Vulnerabilities
- CVE-2023-20891
- CVE-2023-20899
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.