Security News > 2023 > June > VMware fixes critical flaws in Aria Operations for Networks (CVE-2023-20887)
VMware has fixed two critical and one important vulnerability in Aria Operations for Networks, its popular enterprise network monitoring tool.
CVE-2023-20887 is a pre-authentication command injection vulnerability that may allow a malicious actor with network access to VMware Aria Operations for Networks to perform a command injection attack and execute code remotely.
"According to a tweet by researcher Y4er, CVE-2023-20887 is reportedly a patch bypass for CVE-2022-31702, another critical command injection vulnerability in vRNI that was patched by VMware in December 2022," Tenable's Scott Caveza revealed.
CVE-2023-20888 is an authenticated deserialization vulnerability that may allow a malicious actor with network access to VMware Aria Operations for Networks and valid "Member" role credentials to execute code through a deserialization attack.
CVE-2023-20889 is an information disclosure vulnerability that could allow a malicious actor who has network access to VMware Aria Operations for Networks to perform a command injection attack that could result in information disclosure.
Multiple versions of VMware Aria Operations for Networks, namelyVersions 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10 of VMware Aria Operations for Networks are affected by these vulnerabilities.
News URL
https://www.helpnetsecurity.com/2023/06/15/cve-2023-20887-poc-exploit/
Related news
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- VMware fixes critical vCenter Server RCE bug – again! (CVE-2024-38812) (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- VMware fixes critical RCE, make-me-root bugs in vCenter - for the second time (source)
- Week in review: Fortinet patches critical FortiManager 0-day, VMware fixes vCenter Server RCE (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-06-07 | CVE-2023-20889 | Command Injection vulnerability in VMWare Vrealize Network Insight Aria Operations for Networks contains an information disclosure vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in information disclosure. | 7.5 |
| 2023-06-07 | CVE-2023-20888 | Deserialization of Untrusted Data vulnerability in VMWare Vrealize Network Insight Aria Operations for Networks contains an authenticated deserialization vulnerability. A malicious actor with network access to VMware Aria Operations for Networks and valid 'member' role credentials may be able to perform a deserialization attack resulting in remote code execution. | 8.8 |
| 2023-06-07 | CVE-2023-20887 | Command Injection vulnerability in VMWare Aria Operations for Networks Aria Operations for Networks contains a command injection vulnerability. | 9.8 |
| 2022-12-14 | CVE-2022-31702 | Command Injection vulnerability in VMWare Vrealize Network Insight vRealize Network Insight (vRNI) contains a command injection vulnerability present in the vRNI REST API. | 9.8 |