VMSA-2023-0012:VMware Aria Operations for Networks updates address multiple vulnerabilities.

VMware Tanzu Application Service

0 more products

23674

18 June 2023

04 June 2023

CLOSED

CRITICAL

8.8 - 9.8

CVE-2023-20887,CVE-2023-20888,CVE-2023-20889

VMSA-2023-0012.2
8.8 - 9.8
2023-06-07
2023-06-20
CVE-2023-20887, CVE-2023-20888, CVE-2023-20889
VMware Aria Operations for Networks updates address multiple vulnerabilities. (CVE-2023-20887, CVE-2023-20888, CVE-2023-20889)
1. Impacted Products
  • Aria Operations for Networks (Formerly vRealize Network Insight)

2. Introduction

Multiple vulnerabilities in Aria Operations for Networks were privately reported to VMware. Patches are available to remediate these vulnerabilities in affected VMware products.

3a. Aria Operations for Networks Command Injection Vulnerability (CVE-2023-20887)

Description

Aria Operations for Networks contains a command injection vulnerability. VMware has evaluated the severity of this issue to be in the critical severity range with a maximum CVSSv3 base score of 9.8.

Known Attack Vectors

A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution.

Resolution

To remediate CVE-2023-20887 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below.

Workarounds

None.

Additional Documentation

None.

Notes

VMware has confirmed that exploitation of CVE-2023-20887 has occurred in the wild.

Acknowledgements

VMware would like to thank Anonymous working with Trend Micro Zero Day Initiative for reporting this issue to us.

3b. Aria Operations for Networks Authenticated Deserialization Vulnerability (CVE-2023-20888)

Description

Aria Operations for Networks contains an authenticated deserialization vulnerability. VMware has evaluated the severity of this issue to be in the critical severity range with a maximum CVSSv3 base score of 9.1.

Known Attack Vectors

A malicious actor with network access to VMware Aria Operations for Networks and valid 'member' role credentials may be able to perform a deserialization attack resulting in remote code execution.

Resolution

To remediate CVE-2023-20888 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative for reporting this issue to us.

3c. Aria Operations for Networks Information Disclosure Vulnerability (CVE-2023-20889)

Description

Aria Operations for Networks contains an information disclosure vulnerability. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 8.8.

Known Attack Vectors

A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in information disclosure.

Resolution

To remediate CVE-2023-20889 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative for reporting this issue to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
VMware Aria Operations Networks
6.x
Any
CVE-2023-20887, CVE-2023-20888, CVE-2023-20889
critical
None
N/A
4. References
5. Change Log

2023-06-07 VMSA-2023-0012

Initial security advisory.

2023-06-13 VMSA-2023-0012.1

Updated VMSA to note that VMware has confirmed that exploit code for CVE-2023-20887 has been published.

2023-06-20 VMSA-2023-0012.2

VMware has confirmed that exploitation of CVE-2023-20887 has occurred in the wild.

6. Contact