Critical
VMSA-2023-0007
7.2-9.8
2023-04-20
2023-04-20 (Initial Advisory)
CVE-2023-20864, CVE-2023-20865
VMware Aria Operations for Logs (Operations for Logs) update addresses multiple vulnerabilities. (CVE-20864, CVE-20865)
1. Impacted Products
VMware Aria Operations for Logs (formerly vRealize Log Insight)
2. Introduction
Multiple vulnerabilities in VMware Aria Operations for Logs were privately reported to VMware. Updates and workarounds are available to address these vulnerabilities in affected VMware products.
3a. VMware Aria Operations for Logs Deserialization Vulnerability (CVE-2023-20864)
Description
VMware Aria Operations for Logs contains a deserialization vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
Known Attack Vectors
An unauthenticated, malicious actor with network access to VMware Aria Operations for Logs may be able to execute arbitrary code as root.
Resolution
To remediate CVE-2023-20864 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below.
Workarounds
None.
Additional Documentation
None.
Notes
None.
Acknowledgements
VMware would like to thank Anonymous working with Trend Micro Zero Day Initiative for reporting this issue to us.
3b. VMware Aria Operations for Logs Command Injection Vulnerability (CVE-2023-20865)
Description
VMware Aria Operations for Logs contains a command injection vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2.
Known Attack Vectors
A malicious actor with administrative privileges in VMware Aria Operations for Logs can execute arbitrary commands as root.
Resolution
To remediate CVE-2023-20865 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below.
Workarounds
None.
Additional Information
None.
Notes
None.
Acknowledgements
VMware would like to thank Y4er & MoonBack of 埃文科技 for reporting this vulnerability to us.
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
VMware Aria Operations for Logs (Operations for Logs) | 8.12 | Any | CVE-2023-20864, CVE-2023-20865 | N/A | N/A | Unaffected | None | |
VMware Aria Operations for Logs (Operations for Logs) | 8.10.2 | Any | CVE-2023-20864, CVE-2023-20865 | 9.8, 7.2 | critical
| None | ||
VMware Aria Operations for Logs (Operations for Logs) | 8.10 | Any | CVE-2023-20864 | N/A | N/A | Unaffected | None | |
VMware Aria Operations for Logs (Operations for Logs) | 8.10 | Any | CVE-2023-20865 | important
| None | |||
VMware Aria Operations for Logs (Operations for Logs) | 8.8.x | Any | CVE-2023-20864 | N/A | N/A | Unaffected | None | |
VMware Aria Operations for Logs (Operations for Logs) | 8.8.x | Any | CVE-2023-20865 | important
| None | |||
VMware Aria Operations for Logs (Operations for Logs) | 8.6.x | Any | CVE-2023-20864 | N/A | N/A | Unaffected | None | |
VMware Aria Operations for Logs (Operations for Logs) | 8.6.x | Any | CVE-2023-20865 | important
| None | |||
VMware Cloud Foundation (VMware Aria Operations for Logs) | 4.x | Any | CVE-2023-20864, CVE-2023-20865 | 9.8, 7.2 | critical
|
4. References
Fixed Version(s) and Release Notes:
VMware Aria Operations for Logs (Operations for Logs) 8.12 Release Notes
Downloads and Documentation:
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20864
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20865
FIRST CVSSv3 Calculator:
CVE-2023-20864: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2023-20865: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
5. Change Log
2023-04-20 VMSA-2023-0007
Initial security advisory.
6. Contact
E-mail: security@vmware.com
PGP key at:
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2023 VMware Inc. All rights reserved.
Read full article (vmware.com)
All content and images belong to their respected owners, this article is curated for informational purposes only.
