Hand-Picked Top-Read Stories

How to obtain a Citrix Invoice

2 views

CVAD – Constant grey screen when launching ICA session to VDA 2311 on Windows Server 2022 on Vmware

36 views

Pre-configure the Store-URL in the “Citrix Workspace App” for MAC

45 views

Trending Tags

VMware Virtualisation

460 views

2 minute read

VMSA-2023-0004

22 February 2023

Critical

Advisory ID:
VMSA-2023-0004

CVSSv3 Range:
9.1

Issue Date:
2023-02-21

Updated On:
2023-02-21 (Initial Advisory)

CVE(s):
CVE-2023-20858

Synopsis:
VMware Carbon Black App Control updates address an injection vulnerability (CVE-2023-20858)

1. Impacted Products

VMware Carbon Black App Control (App Control)

2. Introduction

An injection vulnerability affecting VMware Carbon Black App Control was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.

3. Injection Vulnerability (CVE-2023-20858)

Description

VMware Carbon Black App Control contains an injection vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.1.

Known Attack Vectors

A malicious actor with privileged access to the App Control administration console may be able to use specially crafted input allowing access to the underlying server operating system.

Resolution

To remediate CVE-2023-20858 update to the versions listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank Jari Jääskelä (@JJaaskela) for reporting this vulnerability to us.

Response Matrix

Product	Version	Running On	CVE Identifier	CVSSv3	Severity	Fixed Version	Workarounds	Additional Documentation
App Control	8.9.x	Windows	CVE-2023-20858	9.1	critical	8.9.4	None	None
App Control	8.8.x	Windows	CVE-2023-20858	9.1	critical	8.8.6	None	None
App Control	8.7.x	Windows	CVE-2023-20858	9.1	critical	8.7.8	None	None

4. References

Downloads and Documentation:

VMware Carbon Black App Control 8.9.4
https://docs.vmware.com/en/VMware-Carbon-Black-App-Control/services/cb-ac-announcements/GUID-7464A525-BCF4-4329-9228-B040C9C16D22.html

VMware Carbon Black App Control 8.7.8, 8.8.6
https://docs.vmware.com/en/VMware-Carbon-Black-App-Control/services/cb-ac-announcements/GUID-35DA49E4-41F3-485B-88E5-AE69B354F2FB.html

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20858

FIRST CVSSv3 Calculator:
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

5. Change Log

2023-02-21 VMSA-2023-0004
Initial security advisory.

6. Contact

E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055

VMware Security Advisories
https://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog
https://blogs.vmware.com/security

Twitter
https://twitter.com/VMwareSRC

Read full article (vmware.com)

All content and images belong to their respected owners, this article is curated for informational purposes only.

Leave a Reply Cancel reply

You must be logged in to post a comment.

Previous Post

Citrix

ShareFile – Transfer files to a new network share

21 February 2023

Next Post

VMware Virtualisation

VMSA-2023-0005

22 February 2023