- 51/2023
- Critical
VMware has released security updates to fix multiple vulnerabilities in multiple VMware products.
The addressed vulnerabilities could allow the remote authenticated attacker to read arbitrary files, cause a denial of service attack, conduct an SSRF attack, or execute arbitrary code by using specially-crafted request/XML content to gain access to the affected product.
Sample of the addressed vulnerabilities:
1. VMware Carbon Black App Control (App Control) Code Execution Vulnerability (CVE-2023-20858):
• CVSS: 9.1
• Attack Vector: Network
• Attack Complexity: low
• Privileges Required: High
• User Interaction: None
• Consequences: Gain Access
2. VMware vRealize Orchestrator XML External Entity Injection (CVE-2023-20855):
• CVSS: 8.8
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Consequences: Gain Access
Affected products:
• VMware Cloud Foundation.
• VMware vRealize Orchestrator.
• VMware vRealize Automation.
• VMware Carbon Black App Control.
Vulnerabilities
- CVE-2023-20858
- CVE-2023-20855
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.