VMware Issues Critical Fix for Vulnerability

February 21, 2023

Virtualization technology giant VMware has released a major security fix to cover a critical vulnerability in its enterprise-facing Carbon Black App Control product. The vulnerability, tracked as CVE-2023-20858, carries a CVSS severity score of 9.1 out of 10 and allows hackers to launch injection exploits to gain full access to the underlying server operating system.

"A malicious actor with privileged access to the App Control administration console may be able to use specially crafted input allowing access to the underlying server operating system," said VMware. The issue affects App Control versions 8.7.x, 8.8.x and 8.9.x running on Microsoft’s Windows operating system. It was privately reported by Jari Jääskelä, a security researcher active on the HackerOne bug bounty platform.

VMware also issued an important-severity advisory to warn of a privilege escalation and information disclosure flaw in its vRealize Orchestrator product. "A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges," the company said.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.