CI Operators:
VMware has reported 5 memory corruption vulnerabilities affecting vCenter Server and Cloud Foundation products, several with a CVSSv3 score of 8.1. Updates are available. Detailed information and product updates can be found in the VMware security advisory VMSA-2023-0014 [1]
Impact:
A malicious actor with network access may exploit the vulnerability to 1) execute arbitrary code on the underlying operating system that hosts vCenter Server CVE-2023-20892 [2], CVE-2023-20893 [3]; 2) trigger an out-of-bound write leading to memory corruption CVE-2023-20894 [4]; 3) trigger a memory corruption vulnerability which may bypass authentication CVE-2023-20895 [5]. Supplemental FAQ with additional information is available [6]
Affected Software:
* vCenter Server 8.0
* vCenter Server 7.0
* Cloud Foundation (vCenter Server) 5.x
* Cloud Foundation (vCenter Server) 4.x
Recommendation:
Update to the latest patched version of vCenter Server or Cloud Foundation. No workarounds are available.
References:
[1] https://www.vmware.com/security/advisories/VMSA-2023-0014.html
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-20892
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-20893
[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20894
[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-20895
[6] https://core.vmware.com/vmsa-2023-0014-questions-answers-faq
How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.