VMware’s operations management platform, Aria Operations, contains several security vulnerabilities. Three vulnerabilities allow authenticated attackers to escalate their privileges, and a deserialization vulnerability allows a malicious admin to execute custom code.
Aria Operations, formerly vRealize, is used for the automated management of cloud resources. The most severe vulnerability (CVE-2023-20877, CVSS score 8.8/10) can be exploited by attackers with read access to Aria Operations to run their own code and elevate their privileges.
The second (CVE-2023-20879, CVSS 6.7/10) and third (CVE-2023-20880, CVSS 6.4/10) vulnerabilities allow malicious administrators to gain root access to the operating system running Aria Operations. Internal attackers can also use the deserialization vulnerability with the ID CVE-2023-20878 and the CVSS value 6.6/10 to execute their own commands and thus disrupt the system.
Version 4 of VMWare Cloud Foundation and versions 8.6 and 8.10 of VMWare Aria Operations are affected by the vulnerabilities. VMWare has already provided hotfixes for all vulnerabilities.
(cku)
