{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2023-084.pdf"
    },
    "title": "Critical Vulnerability in VMware products",
    "serial_number": "2023-084",
    "publish_date": "27-10-2023 21:05:49",
    "description": "On 25 October 2023, VMware has released security updates to address two vulnerabilities affecting vCenter Server and Cloud Foundation. The exploitation of the vulnerabilities could lead to an out-of-bounds write and a partial information disclosure. The vulnerabilities are tracked as CVE-2023-34048 with a CVSS score 9.8 and CVE-2023-34056 with a CVSS score of 4.3.[1]<br>\nIt is recommended updating as soon as possible.<br>\n",
    "url_title": "2023-084",
    "content_markdown": "---\ntitle: 'Critical Vulnerability in VMware products'\nnumber: '2023-084'\nversion: '1.0'\noriginal_date: 'October 25, 2023'\ndate: 'October 27, 2023'\n---\n\n_History:_\n\n* _27/10/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn 25 October 2023, VMware has released security updates to address two vulnerabilities affecting vCenter Server and Cloud Foundation. The exploitation of the vulnerabilities could lead to an out-of-bounds write and a partial information disclosure. The vulnerabilities are tracked as **CVE-2023-34048** with a CVSS score 9.8 and **CVE-2023-34056** with a CVSS score of 4.3.[1]\n\nIt is recommended updating as soon as possible.\n\n# Technical Details\n\n- **CVE-2023-34048**: This vulnerability (CVSS score of 9.8) allows a malicious actor with network access to vCenter Server to trigger an out-of-bounds write potentially leading to remote code execution.\n- **CVE-2023-34056**: This vulnerability (CVSS score of 4.3) allows a malicious actor with non-administrative privileges to vCenter Server to leverage this issue to access unauthorised data.\n\n# Affected products\n\n- VMware vCenter Server versions 7.x and 8.x;\n- VMware Cloud Foundation (VMware vCenter Server) versions 4.x and 5.x.\n\n# Recommendations\n\nCERT-EU recommends updating affected software to the latest version as soon as possible.\n\n# References\n\n[1] <https://www.vmware.com/security/advisories/VMSA-2023-0023.html>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>27/10/2023 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On 25 October 2023, VMware has released security updates to address two vulnerabilities affecting vCenter Server and Cloud Foundation. The exploitation of the vulnerabilities could lead to an out-of-bounds write and a partial information disclosure. The vulnerabilities are tracked as <strong>CVE-2023-34048</strong> with a CVSS score 9.8 and <strong>CVE-2023-34056</strong> with a CVSS score of 4.3.[1]</p><p>It is recommended updating as soon as possible.</p><h2 id=\"technical-details\">Technical Details</h2><ul><li><strong>CVE-2023-34048</strong>: This vulnerability (CVSS score of 9.8) allows a malicious actor with network access to vCenter Server to trigger an out-of-bounds write potentially leading to remote code execution.</li><li><strong>CVE-2023-34056</strong>: This vulnerability (CVSS score of 4.3) allows a malicious actor with non-administrative privileges to vCenter Server to leverage this issue to access unauthorised data.</li></ul><h2 id=\"affected-products\">Affected products</h2><ul><li>VMware vCenter Server versions 7.x and 8.x;</li><li>VMware Cloud Foundation (VMware vCenter Server) versions 4.x and 5.x.</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU recommends updating affected software to the latest version as soon as possible.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.vmware.com/security/advisories/VMSA-2023-0023.html\">https://www.vmware.com/security/advisories/VMSA-2023-0023.html</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}