vCenter needs patch for critical bug

By

'Considered an emergency change', VMware says.

A critical bug in VMware’s vCenter Server needs patching as soon as possible.

vCenter needs patch for critical bug

VMware said its implementation of the DCE/RPC (distributed computing environment remote procedure calls) protocol contained an out-of-bounds write vulnerability.

“In ITIL parlance this would be considered an emergency change, and your organisation should consider acting quickly," the vendor said.

Rated 9.8 on the CVSS scale, CVE-2023-34048 can be exploited for remote code execution.

Two other products, vSphere and vCloud, also use vCenter and need to be patched.

In an explanatory blog post, VMware said several branches of the software are impacted: vSphere 6.5, 6.7, 7.0, 8.0.1, and 8.0.2.

The company has taken the relatively rare step of patching end-of-life products, “due to the critical severity of this vulnerability and lack of workaround".

End-of-life products covered are vCenter Server 6.7U3, 6.5U3, and VCF 3.x.

“For the same reasons, VMware has made additional patches available for vCenter Server 8.0U1,” the advisory said. 

“Async vCenter Server patches for VCF 5.x and 4.x deployments have been made available.”

VMware said it is not aware of any exploits in the wild.

CVE-2023-34048 was discovered by Grigory Dorodnov of Trend Micro's Zero Day Initiative.

A second lower-rated bug, CVE-2023-34056 (CVSS 4.3) was also patched.

This is described as a “partial information disclosure” vulnerability. “A malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorised data," the advisory said.

It was disclosed by Oleg Moshkov of Deiteriy Lab.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Eagers Automotive finds unauthorised access to parts of IT systems

Eagers Automotive finds unauthorised access to parts of IT systems

Hackers hit Victoria's court recording database

Hackers hit Victoria's court recording database

St Vincent's Health Australia warns cyber attack forensics could "take some time"

St Vincent's Health Australia warns cyber attack forensics could "take some time"

Yakult Australia confirms cyber incident

Yakult Australia confirms cyber incident

Log In

  |  Forgot your password?