VMware vCenter Server updates address out-of-bounds write and information disclosure vulnerabilities (CVE-2023-34048, CVE-2023-34056)

Advisory No: TZCERT/SA/2023/10/27

Date of First Release: 27^th October 2023

Source: VMware

Software Affected:  VMware vCenter Server and VMware Cloud Foundation

Overview:

Two vulnerabilities affecting VMware vCenter Server and VMware Cloud Foundation have been disclosed. These vulnerabilities may lead to out-of-bounds write potentially leading to remote code execution.

Description:

VMware products are affected by multiple flaws that could result into a critical out-of-bound write (CVE-2023-34048) and access to unauthorized data by non-administrative privileged user. Successful exploitation of the critical flaw may allow an attacker to trigger out-of-bound write leading to remote code execution.

Impact:

Successful exploitation of these vulnerabilities may allow the attacker to take control of affected system.

Solution:

VMware has released patches for these vulnerabilities. Users and administrators are encouraged to apply all necessary updates.

References:

1. https://www.vmware.com/security/advisories/VMSA-2023-0023.html
2. https://thehackernews.com/2023/10/act-now-vmware-releases-patch-for.html