VMware vCenter Server Flaw Let Attacker Execute Remote Code

VMware has been discovered with two vulnerabilities, CVE-2023-34048 and CVE-2023-34056, which were associated with Out-of-Bounds Write and Partial Information Disclosure. The severity of these vulnerabilities was 9.8 (Critical) and 4.3 (Medium).

Both of these vulnerabilities existed on the VMware vCenter Server, a Server Management Software for managing virtual machines, ESXi hosts, and all other components from a centralized location. 

VMware has fixed these vulnerabilities and has released a security advisory addressing these vulnerabilities. 

CVE-2023-34048: VMware Out-of-Bounds Write Vulnerability

This vulnerability can be exploited by an attacker with network access to the vCenter Server, which could result in out-of-bounds write vulnerability, potentially leading to remote code execution. The severity of this vulnerability has been given as 9.8 (Critical).

This vulnerability has no workarounds, according to VMware’s security advisory. 

CVE-2023-34056: VMware Information Disclosure Vulnerability

A threat actor can exploit this vulnerability with non-admin privileges to access unauthorized data. The severity for this vulnerability has been given as 4.3 (Medium). 

Affected Products

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
VMware vCenter Server8AnyCVE-2023-34048, CVE-2023-340569.8, 4.3Critical8.0U2NoneFAQ
VMware vCenter Server8AnyCVE-2023-340489.8Critical8.0U1dNoneFAQ
VMware vCenter Server7AnyCVE-2023-34048, CVE-2023-340569.8, 4.3Critical7.0U3oNoneFAQ
VMware Cloud Foundation (VMware vCenter Server)5.x, 4.xAnyCVE-2023-34048, CVE-2023-340569.8, 4.3CriticalKB88287NoneFAQ

Users of these products are recommended to upgrade to the latest versions to prevent these vulnerabilities from getting exploited.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.