VMware Carbon Black has critical vulnerability

By

Patch also issued for vRealize, VCF bug.

VMware has disclosed a critical vulnerability in its Carbon Black endpoint security platform.

VMware Carbon Black has critical vulnerability

Carbon Black provides application control, anti-virus and policy enforcement for enterprise endpoints under a single admin console.

Carbon Black’s application control versions 8.7x, 8.8x and 8.9x running on Windows are subject to CVE-2023-20858, which carries a critical CVSS score of 9.1.

VMware describes it as an injection vulnerability. An attacker would need compromised user credentials to exploit the bug, since they need privileged access to the app control administration console via the network.

With access, an attacker can then feed the console crafted input, and get access to the underlying server operating system.

The bug was discovered by HackerOne researcher Jari Jääskelä.

The company also announced CVE-2023-20855, a CVSS 8.8-scored vulnerability in its vRealize Orchestrator, vRealize Automation, and VMware Cloud Foundation products.

“A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges”, VMware’s advisory stated.

The bug was reported by Germany’s State Office for Information Technology and Statistics (IT.NRW).

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Eagers Automotive finds unauthorised access to parts of IT systems

Eagers Automotive finds unauthorised access to parts of IT systems

Hackers hit Victoria's court recording database

Hackers hit Victoria's court recording database

St Vincent's Health Australia warns cyber attack forensics could "take some time"

St Vincent's Health Australia warns cyber attack forensics could "take some time"

Yakult Australia confirms cyber incident

Yakult Australia confirms cyber incident

Log In

  |  Forgot your password?