October 25, 2023 at 12:33AM
VMware has disclosed a critical vulnerability in its vCenter Server, along with a patch to fix it. The vulnerability, known as CVE-2023-34048, allows a malicious actor with network access to trigger an out-of-bounds write and potentially execute remote code. VMware has also released patches for unsupported versions of the software. An additional vulnerability, CVE-2023-34056, allows unauthorized data access and has a lower severity rating. VMware’s actions come ahead of its acquisition by Broadcom and the upcoming VMware Explore conference.
Key Takeaways from Meeting Notes:
– VMware has disclosed a critical vulnerability in its vCenter Server, known as CVE-2023-34048, which enables a malicious actor with network access to trigger an out-of-bounds write and potentially execute remote code.
– VMware issued an update to fix the vulnerability weeks ago, along with patches for unsupported versions of the software.
– There have been no known exploits of the vulnerability, but it is advised to address it quickly.
– vCenter Server 8.0U2, released on September 21, is one way to address the situation, but it is unclear if this version includes the necessary security patches.
– VMware has released patches for versions 6.5, 6.7, and 7.0 of vCenter, even though they have reached end of life.
– A second CVE, CVE-2023-34056, allows a malicious actor with non-administrative privileges to access unauthorized data in vCenter Server. This vulnerability is rated lower at 4.3.
– VMware is proceeding with business as usual ahead of its acquisition by Broadcom, which is expected to be completed by October 30.
– The European VMware Explore conference, starting on November 6, may bring further announcements.
– There are reports that letters offering employment at Broadcom have been sent to VMware staffers in the US, causing some employees to feel left out.