VMSA-2023-0021:VMware Aria Operations for Logs updates address multiple vulnerabilities.

VMware Tanzu Application Service

0 more products

23666

21 October 2023

17 October 2023

CLOSED

HIGH

8.1

CVE-2023-34051,CVE-2023-34052

VMSA-2023-0021
8.1
2023-10-19
2023-10-23
CVE-2023-34051, CVE-2023-34052
VMware Aria Operations for Logs updates address multiple vulnerabilities. (CVE-2023-34051, CVE-2023-34052)
1. Impacted Products
  • Aria Operations for Logs

     

2. Introduction

Multiple vulnerabilities in VMware Aria Operations for Logs were privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.

3a. Authentication Bypass Vulnerability (CVE-2023-34051)

Description

VMware Aria Operations for Logs contains an authentication bypass vulnerability VMware has evaluated the severity of this issue to be in the Important Severity Range with a maximum CVSSv3 base score of 8.1.

Known Attack Vectors

An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.

Resolution

To remediate CVE-2023-34051 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank James Horseman from Horizon3.ai and Randori Attack Team (https://twitter.com/RandoriAttack) for reporting this issue to us.

3b. Deserialization Vulnerability (CVE-2023-34052)

Description

VMware Aria Operations for Logs contains a deserialization vulnerability. VMware has evaluated the severity of this issue to be in the Important Severity Range with a maximum CVSSv3 base score of 8.1.

Known Attack Vectors

A malicious actor with non-administrative access to the local system can trigger the deserialization of data which could result in authentication bypass.

Resolution

To remediate CVE-2023-34052 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank IuHrm of Cyber KunLun for reporting this issue to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
VMware Aria Operations for Logs
8.14
Any
CVE-2023-34051, CVE-2023-34052
N/A
N/A
Unaffected
N/A
N/A
VMware Aria Operations for Logs
8.12
Any
CVE-2023-34051
important
N/A
N/A
VMware Aria Operations for Logs
8.12
Any
CVE-2023-34052
important
N/A
N/A
VMware Aria Operations for Logs
8.10.2
Any
CVE-2023-34051
important
N/A
N/A
VMware Aria Operations for Logs
8.10.2
Any
CVE-2023-34052
important
N/A
N/A
VMware Aria Operations for Logs
8.10
Any
CVE-2023-34051
important
N/A
N/A
VMware Aria Operations for Logs
8.10
Any
CVE-2023-34052
N/A
N/A
Unaffacted
N/A
N/A
VMware Aria Operations for Logs
8.8.x
Any
CVE-2023-34051
important
N/A
N/A
VMware Aria Operations for Logs
8.8.x
Any
CVE-2023-34052
N/A
N/A
Unaffected
N/A
N/A
VMware Aria Operations for Logs
8.6.x
Any
CVE-2023-34051
important
N/A
N/A
VMware Aria Operations for Logs
8.6.x
Any
CVE-2023-34052
N/A
N/A
Unaffected
N/A
N/A
VMware Cloud Foundation (VMware Aria Operations for Logs)
5.x, 4.x
Any
CVE-2023-34051, CVE-2023-34052
important
N/A
N/A
4. References
5. Change Log

2023-10-19 VMSA-2023-0021

Initial security advisory.

2023-10-23 VMSA-2023-0021.1

Updated VMSA to note that VMware has confirmed that exploit code for CVE-2023-34051 has been published.

6. Contact

E-mail list for product security notifications and announcements:

http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:
[email protected]

E-mail: [email protected]

PGP key at:
https://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog
https://blogs.vmware.com/security

Twitter
https://twitter.com/VMwareSRC

Copyright 2023 VMware Inc. All rights reserved.