Virtualization technology giant VMware released security patches to address three critical and high-severity vulnerabilities, tracked as CVE-2023-20887, CVE-2023-20888, CVE-2023-20889, in VMware Aria Operations for Networks.
VMware Aria Operations for Networks (formerly vRealize Network Insight) is a network monitoring tool that helps organizations build an optimized, highly available, and secure network infrastructure.
The most severe issue addressed by the company is a Command Injection vulnerability tracked as CVE-2023-20887 (CVSSv3 score of 9.8).
“A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution.” reads the advisory published by VMware.
The company also addressed an authenticated deserialization vulnerability tracked as CVE-2023-20888 (CVSSv3 score of 9.1).
“A malicious actor with network access to VMware Aria Operations for Networks and valid ‘member’ role credentials may be able to perform a deserialization attack resulting in remote code execution.” continues the advisory.
The third vulnerability addressed by the company is a network information disclosure vulnerability tracked as CVE-2023-20889 (CVSSv3 score of 8.8).
The virtualization firm fixed the issues with the release of VMware Aria Operations for Networks 6.x HF: KB92684.
At this time no workarounds are available.
In April, VMware fixed two severe flaws, tracked as CVE-2023-20864 and CVE-2023-20865, impacting the VMware Aria Operations for Logs product.
The vulnerability CVE-2023-20864 (CVSSv3 base score of 9.8) is a deserialization issue that can be exploited by an unauthenticated attacker with network access to VMware Aria Operations for Logs to execute arbitrary code as root.
(SecurityAffairs – hacking, VMware)