The Aria Operations for Networks, formerly vRealize Network Insight, is currently facing significant security challenges with multiple vulnerabilities reported privately to VMware. In response, VMware has released patches aimed at addressing these vulnerabilities across impacted VMware products.
The first vulnerability, CVE-2023-20887, exposes Aria Operations for Networks to a critical command injection risk with a maximum CVSSv3 base score of 9.8. Malicious actors with network access can potentially perform a command injection attack, leading to remote code execution. VMware recommends users apply the updates listed in the ‘Fixed Version’ column of the provided ‘Response Matrix’ to remediate this issue. Notably, VMware acknowledges that exploitation of CVE-2023-20887 has occurred in the wild. The second vulnerability, CVE-2023-20888, involves an authenticated deserialization vulnerability, evaluated as critical with a maximum CVSSv3 base score of 9.1.
A malicious actor with network access and valid ‘member’ role credentials may execute a deserialization attack, resulting in remote code execution. The resolution, again, involves applying the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix.’ The third vulnerability, CVE-2023-20889, is an information disclosure vulnerability with an important severity range and a maximum CVSSv3 base score of 8.8. A malicious actor with network access can potentially perform a command injection attack leading to information disclosure. To address this, users are advised to apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix.’ It is crucial for users to act promptly to secure their systems against these identified vulnerabilities.
Reference:
