VMSA-2023-0021

VMware Security Advisory

Important

Advisory ID:
VMSA-2023-0021

CVSSv3 Range:
8.1

Issue Date:
2023-10-19

Updated On:
2023-10-19 (Initial Advisory)

CVE(s):
CVE-2023-34051, CVE-2023-34052

Synopsis:
VMware Aria Operations for Logs updates address multiple vulnerabilities. (CVE-2023-34051, CVE-2023-34052)

1. Impacted Products

Aria Operations for Logs 

2. Introduction

Multiple vulnerabilities in VMware Aria Operations for Logs were privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.

3a. Authentication Bypass Vulnerability (CVE-2023-34051)

Description

VMware Aria Operations for Logs contains an authentication bypass vulnerability VMware has evaluated the severity of this issue to be in the Important Severity Range with a maximum CVSSv3 base score of 8.1.

Known Attack Vectors

An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.

Resolution

To remediate CVE-2023-34051 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank James Horseman from Horizon3.ai and Randori Attack Team (https://twitter.com/RandoriAttack) for reporting this issue to us.

3b. Deserialization Vulnerability (CVE-2023-34052)

Description

VMware Aria Operations for Logs contains a deserialization vulnerability. VMware has evaluated the severity of this issue to be in the Important Severity Range with a maximum CVSSv3 base score of 8.1.

Known Attack Vectors

A malicious actor with non-administrative access to the local system can trigger the deserialization of data which could result in authentication bypass.

Resolution

To remediate CVE-2023-34052 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank IuHrm of Cyber KunLun for reporting this issue to us.

Response Matrix

Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation

VMware Aria Operations for Logs

8.14

Any

CVE-2023-34051, CVE-2023-34052

N/A

N/A

Unaffected

N/A

N/A

VMware Aria Operations for Logs

8.x

Any

CVE-2023-34051, CVE-2023-34052

8.1

important

8.14

N/A

N/A

VMware Cloud Foundation (VMware Aria Operations for Logs)

5.x, 4.x

Any

CVE-2023-34051, CVE-2023-34052

8.1

important

KB95212

N/A

N/A

4. References

Fixed Version(s) and Release Notes:
VMware Aria Operations for Logs (Operations for Logs) 8.14 Release Notes
Downloads and Documentation:
https://customerconnect.vmware.com/en/downloads/info/slug/infrastructure_operations_management/vmware_aria_operations/8_14
https://docs.vmware.com/en/VMware-Aria-Operations/8.14/rn/vmware-aria-operations-814-release-notes/index.html
VMware Cloud Foundation: KB95212
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34051
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34052
FIRST CVSSv3 Calculator:
CVE-2023-34051 – https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2023-34052 – https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

5. Change Log

2023-10-19 VMSA-2023-0021
Initial security advisory.

6. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists: security-announce@lists.vmware.com
E-mail: security@vmware.com
PGP key at: https://kb.vmware.com/kb/1055
VMware Security Advisories http://www.vmware.com/security/advisories
VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC
Copyright 2023 VMware Inc. All rights reserved.

CLICK FOR MORE INFORMATION