VMware Aria Operations (formerly vRealize Operations)

Multiple vulnerabilities in VMware Aria Operations were privately reported to VMware. Updates are available to address these vulnerabilities in affected VMware products.

VMware Aria Operations contains a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.

An authenticated malicious user with ReadOnly privileges can perform code execution leading to privilege escalation.

To remediate CVE-2023-20877 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below.

None

None

None

VMware would like to thank Y4er of 埃文科技 for reporting this issue to us.

VMware Aria Operations contains a deserialization vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.6.

A malicious actor with administrative privileges can execute arbitrary commands and disrupt the system.

To remediate CVE-2023-20878 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below.

None

None

None

VMware would like to thank Y4er of 埃文科技 for reporting this issue to us.

VMware Aria Operations contains multiple Local Privilege Escalation vulnerabilities. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.7.

A malicious actor with administrative privileges in the Aria Operations application can gain root access to the underlying operating system.

To remediate CVE-2023-20879 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below.

None

None

None

VMware would like to thank thiscodecc of MoyunSec Vlab and Bing for reporting this issue to us.

VMware Aria Operations contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.4.

A malicious actor with administrative access to the local system can escalate privileges to 'root'.

To remediate CVE-2023-20877 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below.

None

None

None

VMware would like to thank thiscodecc of MoyunSec Vlab and Bing for reporting this issue to us.

Downloads and Documentation:

8.10 Hot Fix 4: https://kb.vmware.com/s/article/91852

8.6 Hot Fix 10: https://kb.vmware.com/s/article/91850

VCF 4.x: https://kb.vmware.com/s/article/92148

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20877

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20878

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20879

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20880

FIRST CVSSv3 Calculator:

CVE-2023-20877: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-20878: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2023-20879: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2023-20880: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

2023-05-11 VMSA-2023-0009

Initial security advisory.

E-mail: [email protected]

PGP key at:
https://kb.vmware.com/kb/1055 

VMware Security Advisories
https://www.vmware.com/security/advisories 

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html 

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html 

VMware Security & Compliance Blog  
https://blogs.vmware.com/security 

Twitter
https://twitter.com/VMwareSRC

Copyright 2023 VMware Inc. All rights reserved.