VMware fixes a command injection flaw CVE-2023-20887 in VMware Aria Operations for Networks

Virtualization giant VMware addressed critical and high-severity vulnerabilities in VMware Aria Operations for Networks.

Virtualization technology giant VMware released security patches to address three critical and high-severity vulnerabilities, tracked as CVE-2023-20887, CVE-2023-20888, CVE-2023-20889, in VMware Aria Operations for Networks.

VMware Aria Operations for Networks (formerly vRealize Network Insight) is a network monitoring tool that helps organizations build an optimized, highly available, and secure network infrastructure.

The most severe issue addressed by the company is a Command Injection vulnerability tracked as CVE-2023-20887 (CVSSv3 score of 9.8).

“A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution.” reads the advisory published by VMware.

The company also addressed an authenticated deserialization vulnerability tracked as CVE-2023-20888 (CVSSv3 score of 9.1).

“A malicious actor with network access to VMware Aria Operations for Networks and valid ‘member’ role credentials may be able to perform a deserialization attack resulting in remote code execution.” continues the advisory.

The third vulnerability addressed by the company is a network information disclosure vulnerability tracked as CVE-2023-20889 (CVSSv3 score of 8.8).

The virtualization firm fixed the issues with the release of VMware Aria Operations for Networks 6.x HF: KB92684.

At this time no workarounds are available.

In April, VMware fixed two severe flaws, tracked as CVE-2023-20864 and CVE-2023-20865, impacting the VMware Aria Operations for Logs product.

The vulnerability CVE-2023-20864 (CVSSv3 base score of 9.8) is a deserialization issue that can be exploited by an unauthenticated attacker with network access to VMware Aria Operations for Logs to execute arbitrary code as root.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, VMware)