VMware vCenter Server Out-of-Bounds Write Vulnerability (CVE-2023-34048)

[Fleury, Terry]

CI Operators:

VMware has announced a critical vulnerability in vCenter Server [1]. This vulnerability has a CVSSv3 score of 9.8 and is tracked as CVE-2023-34048 [2].

 

Impact:

An out-of-bounds write weakness in vCenter's DCE/RPC protocol implementation could enable remote code execution by an attacker with network access to vCenter Server.

 

Affected Software: 

• vCenter Server 8.x < v8.0U2
• vCenter Server 7.x < v7.0U3o
• VMware Cloud Foundation v4.x and v5.x [3]

 

Recommendation:

Update to the latest version of VMware vCenter Server for your installation. There are no recommended mitigations.

 

References:

[1] https://www.vmware.com/security/advisories/VMSA-2023-0023.html

[2] https://nvd.nist.gov/vuln/detail/CVE-2023-34048

[3] https://kb.vmware.com/s/article/88287 

 

How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.