CVE-2023-34048 VMware vCenter Server Out-of-bounds Write Vulnerability

This advisory is for organizations that use the VMware vCenter to manage virtual infrastructure.  If your organization does not use this platform, this notification may be discarded.

Summary

VMware has issued patches for a vulnerability affecting the vCenter Server through the DCE/RPC (Distributed Computing Environment/Remote Procedure Call) protocol.  An out of bounds write could make it possible for a potential attacker to remotely write code to a part of the memory where it would be executed with elevated permissions.

CVE-2023-34048 –  VMware vCenter Server Out-of-Bounds Write Vulnerability

                CVSSv3: 9.8

Affected Products/Versions

Mitigations

While VMware normally does not mention end-of-life products in VMware Security Advisories, due to the critical severity of this vulnerability and the lack of a workaround, VMware has made a patch generally available for vCenter Server 6.7U3, 6.5U3, and VCF 3.x.

For the same reasons, VMware has made additional patches available for vCenter Server 8.0U1.

VMware vCenter Server 8.0U2

Downloads and Documentation:

https://customerconnect.vmware.com/downloads/details?downloadGroup=VC80U2&productId=1345&rPId=110105

VMware vCenter Server 8.0U1d

Downloads and Documentation:

https://customerconnect.vmware.com/downloads/details?downloadGroup=VC80U1D&productId=1345&rPId=112378

VMware vCenter Server 7.0U3o

Downloads and Documentation:

https://customerconnect.vmware.com/downloads/details?downloadGroup=VC70U3O&productId=974&rPId=110262

Cloud Foundation 5.x/4.x

https://kb.vmware.com/s/article/88287

Additional Resources

https://www.vmware.com/security/advisories/VMSA-2023-0023.html

https://thehackernews.com/2023/10/act-now-vmware-releases-patch-for.html

https://nvd.nist.gov/vuln/detail/CVE-2023-34048