Security News > 2023 > February > VMware patches critical injection flaw in Carbon Black App Control (CVE-2023-20858)
VMware has fixed a critical vulnerability in Carbon Black App Control, its enterprise solution for preventing untrusted software from executing on critical systems and endpoints.
Even though the flaw has been privately reported to VMware, and there is no mention of it being actively exploited, admins are urged to upgrade to a fixed version as soon as possible.
To exploit CVE-2023-20858 - an injection vulnerability that could allow a malicious actor to gain access to the underlying server operating system - the attacker must have privileged access to the App Control administration console and use specially crafted input.
Flagged by bug hunter Jari Jääskelä, the vulnerability has been fixed in Carbon Black App Control versions 8.9.4, 8.8.6 and 8.7.8.
Those updates fix CVE-2023-20855, an "Important" XML External Entity vulnerability.
"A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges," the company explained.
News URL
https://www.helpnetsecurity.com/2023/02/22/cve-2023-20858/
Related news
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- VMware fixes critical vCenter Server RCE bug – again! (CVE-2024-38812) (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- VMware fixes critical RCE, make-me-root bugs in vCenter - for the second time (source)
- Week in review: Fortinet patches critical FortiManager 0-day, VMware fixes vCenter Server RCE (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-22 | CVE-2023-20858 | Injection vulnerability in VMWare Carbon Black APP Control VMware Carbon Black App Control 8.7.x prior to 8.7.8, 8.8.x prior to 8.8.6, and 8.9.x.prior to 8.9.4 contain an injection vulnerability. | 7.2 |
| 2023-02-22 | CVE-2023-20855 | XXE vulnerability in VMWare Vrealize Automation and Vrealize Orchestrator VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. | 8.8 |