VMSA-2023-0009:VMware Aria Operations update addresses multiple Local Privilege Escalations and a Deserialization issue

VMware Tanzu Application Service

0 more products

23671

09 May 2023

09 May 2023

CLOSED

HIGH

6.4-8.8

CVE-2023-20877,CVE-2023-20878,CVE-2023-20879,CVE-2023-20880

VMSA-2023-0009
6.4-8.8
2023-05-11
2023-05-11 (Initial Advisory)
CVE-2023-20877, CVE-2023-20878, CVE-2023-20879, CVE-2023-20880
VMware Aria Operations update addresses multiple Local Privilege Escalations and a Deserialization issue (CVE-2023-20877, CVE-2023-20878, CVE-2023-20879, CVE-2023-20880)
1. Impacted Products

VMware Aria Operations (formerly vRealize Operations)

2. Introduction

Multiple vulnerabilities in VMware Aria Operations were privately reported to VMware. Updates are available to address these vulnerabilities in affected VMware products.

3a. VMware Aria Operations Privilege Escalation Vulnerability (CVE-2023-20877)

Description

VMware Aria Operations contains a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.

Known Attack Vectors

An authenticated malicious user with ReadOnly privileges can perform code execution leading to privilege escalation.

Resolution

To remediate CVE-2023-20877 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below.

Workarounds

None

Additional Documentation

None

Notes

None

Acknowledgements

VMware would like to thank Y4er of 埃文科技 for reporting this issue to us.

3b. VMware Aria Operations Deserialization Vulnerability (CVE-2023-20878)

Description

VMware Aria Operations contains a deserialization vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.6.

Known Attack Vectors

A malicious actor with administrative privileges can execute arbitrary commands and disrupt the system.

Resolution

To remediate CVE-2023-20878 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below.

Workarounds

None

Additional Documentation

None

Notes

None

Acknowledgements

VMware would like to thank Y4er of 埃文科技 for reporting this issue to us.

3c. VMware Aria Operations Local Privilege Escalation Vulnerability (CVE-2023-20879)

Description

VMware Aria Operations contains multiple Local Privilege Escalation vulnerabilities. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.7.

Known Attack Vectors

A malicious actor with administrative privileges in the Aria Operations application can gain root access to the underlying operating system.

Resolution

To remediate CVE-2023-20879 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below.

Workarounds

None

Additional Documentation

None

Notes

None

Acknowledgements

VMware would like to thank thiscodecc of MoyunSec Vlab and Bing for reporting this issue to us.

3d. VMware Aria Operations Local Privilege Escalation Vulnerability (CVE-2023-20880)

Description

VMware Aria Operations contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.4.

Known Attack Vectors

A malicious actor with administrative access to the local system can escalate privileges to 'root'.

Resolution

To remediate CVE-2023-20877 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below.

Workarounds

None

Additional Documentation

None

Notes

None

Acknowledgements

VMware would like to thank thiscodecc of MoyunSec Vlab and Bing for reporting this issue to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
VMware Aria Operations
8.12
Any
CVE-2023-20877, CVE-2023-20878, CVE-2023-20879, CVE-2023-20880
NA
N/A
Unaffected
N/A
N/A
VMware Aria Operations
8.10.x
Any
CVE-2023-20877, CVE-2023-20878, CVE-2023-20879, CVE-2023-20880
8.8, 6.6, 6.7, 6.4
important
N/A
N/A
VMware Aria Operations
8.6.x
Any
CVE-2023-20877, CVE-2023-20878, CVE-2023-20879, CVE-2023-20880
8.8, 6.6, 6.7, 6.4
important
N/A
N/A
VMware Cloud Foundation (VMware Aria Operations)
4.x
Any
CVE-2023-20877, CVE-2023-20878, CVE-2023-20879, CVE-2023-20880
8.8, 6.6, 6.7, 6.4
important
N/A
N/A
4. References
5. Change Log

2023-05-11 VMSA-2023-0009

Initial security advisory.

6. Contact

E-mail: [email protected]

PGP key at:
https://kb.vmware.com/kb/1055 

VMware Security Advisories
https://www.vmware.com/security/advisories 

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html 

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html 

VMware Security & Compliance Blog  
https://blogs.vmware.com/security 

Twitter
https://twitter.com/VMwareSRC

Copyright 2023 VMware Inc. All rights reserved.