VMSA-2024-0004:VMware Aria Operations updates address local privilege escalation vulnerability (CVE-2024-22235)
24264
11 July 2024
08 May 2024
CLOSED
MEDIUM
6.7
None
CVE-2024-22235
| Advisory ID: | VMSA-2024-0004 |
| Advisory Severity: | Moderate |
| CVSSv3 Range: | 6.7 |
| Synopsis: | VMware Aria Operations updates address local privilege escalation vulnerability. (CVE-2024-22235) |
| Issue date: | 2024-02-20 |
| Updated on: | 2024-02-20 (Initial Advisory) |
| CVE(s) | CVE-2024-22235 |
1. Impacted Products
- VMware Aria Operations (formerly vRealize Operations)
- VMware Cloud Foundation (VMware Aria Operations)
2. Introduction
A local privilege escalation vulnerability affecting Aria Operations was responsibly reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.
3. Local Privilege Escalation vulnerability (CVE-2024-22235)
Description
VMware Aria Operations contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Moderate Severity Range with a maximum CVSSv3 base score of 6.7.
Known Attack Vectors
A malicious actor with administrative access to the local system can escalate privileges to 'root'.
Resolution
To remediate CVE-2024-22235 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below.
Workarounds
None.
Additional Documentation
None.
Notes
None.
Acknowledgements
VMware would like to thank thiscodecc of MoyunSec Vlab and Bing for reporting this issue to us.
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
|
VMware Aria Operations
|
8.16
|
Any
|
CVE-2024-22235
|
N/A
|
N/A
|
Unaffected
|
N/A
|
N/A
|
|
VMware Aria Operations
|
8.x
|
Any
|
CVE-2024-22235
|
moderate
|
N/A
|
N/A
|
||
|
VMware Cloud Foundation (VMware Aria Operations)
|
5.x
|
Any
|
CVE-2024-22235
|
moderate
|
N/A
|
N/A
|
||
|
VMware Cloud Foundation (VMware Aria Operations)
|
4.x
|
Any
|
CVE-2024-22235
|
moderate
|
N/A
|
N/A
|
4. References
Fixed Version(s) and Release Notes:
Aria Operations
Downloads and Documentation:
Release notes
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22235
FIRST CVSSv3 Calculator:
CVE-2024-22235: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
5. Change Log
2024-02-20 VMSA-2024-0004
Initial security advisory.
6. Contact
E-mail: [email protected]
PGP key at:
https://kb.vmware.com/kb/1055
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Twitter
https://twitter.com/VMwareSRC
Copyright 2024 Broadcom. All rights reserved.