VMware releases patch for critical Cloud Director authentication bypass
Take action: If you are using VMware Cloud Director that was updated to 10.5 from previous versions, it's time to patch the product to the latest version 10.5.1. Even if you applied the workaround, it's not smart to have a vulnerable system if you can easily patch it.
VMware has addressed a critical authentication bypass vulnerability in its Cloud Director appliance deployments, identified as CVE-2023-34060, which was reported but unpatched for over two weeks since its initial disclosure on November 14th.
The flaw, affecting only appliances running VMware Cloud Director Appliance 10.5 upgraded from an older version, allows remote attackers to exploit the system without user interaction, particularly on ports 22 (SSH) and 5480 (appliance management console).
Fresh VCD Appliance 10.5 installs, Linux deployments, and other appliances are not affected.
The patch is released as VMware Cloud Director 10.5.1. In the interim VMware offered a temporary workaround until the relase of the patch.