VMware has issued critical patches for its Carbon Black App Control product to address a significant security vulnerability identified as CVE-2023-20858. This vulnerability, which has received a CVSS score of 9.1, impacts App Control versions 8.7.x, 8.8.x, and 8.9.x, representing a serious risk to the system’s integrity.
The company has classified the exposure as an injection vulnerability, discovered and reported by security researcher Jari Jääskelä. According to VMware’s advisory, a threat actor with administrative access to the App Control console could exploit this vulnerability using specifically crafted inputs, potentially gaining unauthorized access to the underlying server operating system.
VMware has indicated that there are no viable workarounds available for this flaw. Users are therefore strongly urged to upgrade to the latest versions—8.7.8, 8.8.6, and 8.9.4—to reduce their risk of exploitation. This incident underscores the imperative for businesses using VMware products to stay vigilant and up-to-date with security patches.
Notably, Jääskelä has previously reported two other critical vulnerabilities concerning the same product (CVE-2022-22951 and CVE-2022-22952), both of which also carried a CVSS score of 9.1 and were addressed by VMware in March 2022.
In addition to addressing the App Control vulnerability, VMware has also fixed an XML External Entity (XXE) vulnerability, tracked as CVE-2023-20855, which affects vRealize Orchestrator, vRealize Automation, and Cloud Foundation. This vulnerability, scored at 8.8 on the CVSS scale, could allow a malicious actor with non-administrative access to leverage crafted input to bypass XML parsing restrictions, leading to the exposure of sensitive information or privilege escalation.
Given the increasing prevalence of attacks targeting VMware vulnerabilities, it remains vital for users to implement these patches promptly. The application of these updates not only mitigates specific vulnerabilities but also secures the overall operational environment against potential threats.
In the context of MITRE ATT&CK, the tactics and techniques relevant to these vulnerabilities could include initial access, privilege escalation, and potentially exploitation of window or API weaknesses. Such tactics highlight the critical nature of maintaining a proactive security posture in an era where vulnerabilities can swiftly lead to serious breaches.
As cyber threats continue to evolve and target widely used software solutions, businesses must prioritize a comprehensive approach to cybersecurity, ensuring that their systems are continually updated and monitored for vulnerabilities to reduce their risk exposure.