VMware reveals critical vCenter vuln that you may have patched already without knowing it

Trending 1 month ago

VMware has disclosed a captious vulnerability successful its vCenter Server – and that it issued an update to hole it weeks ago, on pinch patches for unsupported versions of nan software.

The soon-to-be-acquired-by-Broadcom virtualization elephantine connected Wednesday delivered news that its implementation of nan Distributed Computing Environment/Remote Procedure Calls (DCERPC) protocol contains an out-of-bounds constitute vulnerability.

CVE-2023-34048, arsenic nan vuln is now known, scored a 9.8/10 CVSSv3 score, arsenic it enables a malicious character pinch web entree to vCenter Server to trigger an out-of-bounds constitute – perchance starring to distant codification execution.

Virtzilla hasn't seen anyone exploiting nan flaw, but of people advises fixing it – fast.

Which is wherever things get a small odd. One measurement to reside nan business is to adopt vCenter Server 8.0U2 – which was released connected September 21. Yet an archived version of nan merchandise notes for 8.0U2 dated October 13 contains nary mentions of information patches.

Nor does nan type of nan merchandise notes visible coming mention whether nan archive has been updated to reside CVE-2023-34048.

We can't ideate VMware would require those who adopted vCenter 8.0U2 to update their servers a 2nd time, truthful person asked for explanation connected whether type 8.0U2 addressed nan vuln connected nan time of release.

Unusually, VMware besides released patches for versions of vCenter that person reached extremity of life. Versions 6.5, 6.7, and 7.0 tin each find fixes.

Virtzilla revealed a 2nd CVE, too. CVE-2023-34056 intends "a malicious character pinch non-administrative privileges to vCenter Server whitethorn leverage this rumor to entree unauthorized data."

This one's rated a specified 4.3 and is covered successful nan patches that besides reside nan captious vuln, which was recovered by Grigory Dorodnov of Trend Micro Zero Day Initiative.

Between nan information notification that brought news of these flaws, and nan merchandise of updated desktop hypervisors, VMware is intelligibly going astir business arsenic accustomed up of its acquisition by Broadcom, owed to complete connected aliases by October 30. The Register has besides hinted that announcements from European incarnation of nan VMware Explore conference, starting November 6, are imminent.

But The Register has besides encountered posts claiming letters offering employment astatine Broadcom person started to get successful nan US, pinch immoderate VMware staffers complaining that – dissimilar their adjacent colleagues – they've not received specified a missive. ®