VMware issues critical warning of their Cloud Director product

published: Nov. 15, 2023

Take action: If you are using VMware Cloud Director that was updated to 10.5 from previous versions, apply the workaround at earliest convenience. The issue isn't immediately exploitable, but don't skip this fix, and the subsequent patch.

Learn More

VMware has issued an alert for a severe and yet-to-be-fixed security vulnerability within its Cloud Director product, which poses a significant risk if exploited by an attacker.

The issue is tracked CVE-2023-34060 (CVSS3 score 9.8), this flaw impacts instances upgraded to version 10.5 from a previous release. A bad actor with access to the network where the Cloud Director Appliance 10.5 is running could sidestep authentication measures when connecting through SSH on port 22 or the appliance management console on port 5480.

This security issue does it exist in fresh installations of the appliance. VMware attributes the vulnerability to the usage of a compromised sssd version from the underlying Photon OS.

VMware has not yet provided a permanent fix but has recommended a temporary solution with a shell script named "WA_CVE-2023-34060.sh".

The company assures customers that applying this script will not necessitate system downtime or disrupt Cloud Director's operations.

VMware issues critical warning of their Cloud Director product