Important
VMSA-2023-0021
8.1
2023-10-19
2023-10-19 (Initial Advisory)
CVE-2023-34051, CVE-2023-34052
VMware Aria Operations for Logs updates address multiple vulnerabilities. (CVE-2023-34051, CVE-2023-34052)
1. Impacted Products
- Aria Operations for Logs
2. Introduction
Multiple vulnerabilities in VMware Aria Operations for Logs were privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.
3a. Authentication Bypass Vulnerability (CVE-2023-34051)
Description
VMware Aria Operations for Logs contains an authentication bypass vulnerability VMware has evaluated the severity of this issue to be in the Important Severity Range with a maximum CVSSv3 base score of 8.1.
Known Attack Vectors
An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.
Resolution
To remediate CVE-2023-34051 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below.
Workarounds
None.
Additional Documentation
None.
Notes
None.
Acknowledgements
VMware would like to thank James Horseman from Horizon3.ai and Randori Attack Team (https://twitter.com/RandoriAttack) for reporting this issue to us.
3b. Deserialization Vulnerability (CVE-2023-34052)
Description
VMware Aria Operations for Logs contains a deserialization vulnerability. VMware has evaluated the severity of this issue to be in the Important Severity Range with a maximum CVSSv3 base score of 8.1.
Known Attack Vectors
A malicious actor with non-administrative access to the local system can trigger the deserialization of data which could result in authentication bypass.
Resolution
To remediate CVE-2023-34052 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below.
Workarounds
None.
Additional Documentation
None.
Notes
None.
Acknowledgements
VMware would like to thank IuHrm of Cyber KunLun for reporting this issue to us.
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
VMware Aria Operations for Logs | 8.14 | Any | CVE-2023-34051, CVE-2023-34052 | N/A | N/A | Unaffected | N/A | N/A |
VMware Aria Operations for Logs | 8.x | Any | CVE-2023-34051, CVE-2023-34052 | important
| 8.14 | N/A | N/A | |
VMware Cloud Foundation (VMware Aria Operations for Logs) | 5.x, 4.x | Any | CVE-2023-34051, CVE-2023-34052 | important
| N/A | N/A |
4. References
Fixed Version(s) and Release Notes:
VMware Aria Operations for Logs (Operations for Logs) 8.14 Release Notes
Downloads and Documentation:
https://customerconnect.vmware.com/en/downloads/info/slug/infrastructure_operations_management/vmware_aria_operations/8_14
https://docs.vmware.com/en/VMware-Aria-Operations/8.14/rn/vmware-aria-operations-814-release-notes/index.html
VMware Cloud Foundation: KB95212
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34051
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34052
FIRST CVSSv3 Calculator:
CVE-2023-34051 – https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2023-34052 – https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
5. Change Log
2023-10-19 VMSA-2023-0021
Initial security advisory.
6. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
E-mail: security@vmware.com
PGP key at:
https://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Twitter
https://twitter.com/VMwareSRC
Copyright 2023 VMware Inc. All rights reserved.
Read full article (vmware.com)
All content and images belong to their respected owners, this article is curated for informational purposes only.
