Virtualization technology giant VMware released security patches to address three critical and high-severity vulnerabilities, tracked as CVE-2023-20887, CVE-2023-20888, CVE-2023-20889, in VMware Aria Operations for Networks.
VMware Aria Operations for Networks (formerly vRealize Network Insight) is a network monitoring tool that helps organizations build an optimized, highly available, and secure network infrastructure.
The most severe issue addressed by the company is a Command Injection vulnerability tracked as CVE-2023-20887 (CVSSv3 score of 9.8).
“A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution.” reads the advisory published by VMware.
The company also addressed an authenticated deserialization vulnerability tracked as CVE-2023-20888 (CVSSv3 score of 9.1).
“A malicious actor with network access to VMware Aria Operations for Networks and valid ‘member’ role credentials may be able to perform a deserialization attack resulting in remote code execution.” continues the advisory.
The third vulnerability addressed by the company is a network information disclosure vulnerability tracked as CVE-2023-20889 (CVSSv3 score of 8.8).
The virtualization firm fixed the issues with the release of VMware Aria Operations for Networks 6.x HF: KB92684.
At this time no workarounds are available.
In April, VMware fixed two severe flaws, tracked as CVE-2023-20864 and CVE-2023-20865, impacting the VMware Aria Operations for Logs product.
The vulnerability CVE-2023-20864 (CVSSv3 base score of 9.8) is a deserialization issue that can be exploited by an unauthenticated attacker with network access to VMware Aria Operations for Logs to execute arbitrary code as root.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, VMware)
Microsoft Patch Tuesday security updates for May 2024 fixed 59 flaws across various products including…
VMware fixed four flaws in its Workstation and Fusion desktop hypervisors, including three zero-days exploited…
The non-profit technology organization MITRE released the EMB3D threat model for embedded devices used in…
Google released emergency security updates to address an actively exploited Chrome zero-day vulnerability. Google has…
Experts reported that since April, the Phorpiex botnet sent millions of phishing emails to spread…
Apple rolled out urgent security updates to address code execution vulnerabilities in iPhones, iPads, and…
This website uses cookies.