VMware reports critical vulnerability in vCenter
Take action: Even though officially there is no workaround, first make sure that your vCenter network access is locked only to trusted network. Considering the critical nature of these vulnerability and the fact that even end-of-life versions got a patch, start planning to patch immediately.
Learn More
VMware has addressed a critical security vulnerability (CVE-2023-34048) in its vCenter Server software, which serves as the central management hub for VMware's vSphere suite.
The vulnerability is tracked as CVE-2023-34048 (CVSS3 of 9.8) is caused by an out-of-bounds write weakness within vCenter's DCE/RPC protocol implementation. An unauthenticated attacker can potentially exploit it remotely without the need for user interaction. However, VMware has not yet detected any active exploitation of this vulnerability.
VMware has released security patches that are accessible through the standard vCenter Server update mechanisms. Recognizing the critical nature of this vulnerability and the potential risks it poses, VMware has also issued patches for several end-of-life products that are no longer officially supported.
- VMware has made a patch generally available for vCenter Server 6.7U3, 6.5U3, and VCF 3.x.
- VMware has made additional patches available for vCenter Server 8.0U1.
- Async vCenter Server patches for VCF 5.x and 4.x deployments have been made available.
There is no workaround available to mitigate this vulnerability. VMware recommends that administrators exercise strict control over network perimeter access to vSphere management components and interfaces, including storage and network components. Specifically, network ports 2012/tcp, 2014/tcp, and 2020/tcp are associated with potential exploitation attempts.
