CVE-2023-20880: VMSA-2023-0009

Advisory ID: VMSA-2023-0009

CVSSv3 Range: 6.4-8.8

Issue Date: 2023-05-11

Updated On: 2023-05-11 (Initial Advisory)

CVE(s): CVE-2023-20877, CVE-2023-20878, CVE-2023-20879, CVE-2023-20880

Synopsis: VMware Aria Operations update addresses multiple Local Privilege Escalations and a Deserialization issue (CVE-2023-20877, CVE-2023-20878, CVE-2023-20879, CVE-2023-20880)

****1. Impacted Products****

VMware Aria Operations (formerly vRealize Operations)

****2. Introduction****

Multiple vulnerabilities in VMware Aria Operations were privately reported to VMware. Updates and workarounds are available to address these vulnerabilities in affected VMware products.

****3a. VMware Aria Operations Privilege Escalation Vulnerability (CVE-2023-20877)****

VMware Aria Operations contains a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.

An authenticated malicious user with ReadOnly privileges can perform code execution leading to privilege escalation.

To remediate CVE-2023-20877 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below.

VMware would like to thank Y4er of 埃文科技 for reporting this issue to us.

****3b. VMware Aria Operations Deserialization Vulnerability (CVE-2023-20878)****

VMware Aria Operations contains a deserialization vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.6.

A malicious actor with administrative privileges can execute arbitrary commands and disrupt the system.

To remediate CVE-2023-20878 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below.

VMware would like to thank Y4er of 埃文科技 for reporting this issue to us.

****3c. VMware Aria Operations Local Privilege Escalation Vulnerability (CVE-2023-20879)****

VMware Aria Operations contains multiple Local Privilege Escalation vulnerabilities. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.7.

A malicious actor with administrative privileges in the Aria Operations application can gain root access to the underlying operating system.

To remediate CVE-2023-20879 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below.

VMware would like to thank thiscodecc of MoyunSec Vlab and Bing for reporting this issue to us.

****3d. VMware Aria Operations Local Privilege Escalation Vulnerability (CVE-2023-20880)****

VMware Aria Operations contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.4.

A malicious actor with administrative access to the local system can escalate privileges to 'root’.

To remediate CVE-2023-20877 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below.

VMware would like to thank thiscodecc of MoyunSec Vlab and Bing for reporting this issue to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

VMware Aria Operations

8.12

Any

CVE-2023-20877, CVE-2023-20878, CVE-2023-20879, CVE-2023-20880

NA

N/A

Unaffected

N/A

N/A

VMware Aria Operations

8.10

Any

CVE-2023-20877, CVE-2023-20878, CVE-2023-20879, CVE-2023-20880

8.8, 6.6, 6.7, 6.4

important

8.10 Hot Fix 4

KB91852

N/A

VMware Aria Operations

8.6.x

Any

CVE-2023-20877, CVE-2023-20878, CVE-2023-20879, CVE-2023-20880

8.8, 6.6, 6.7, 6.4

important

8.6 Hot Fix 10

KB91850

N/A

VMware Cloud Foundation (VMware Aria Operations)

4.x

Any

CVE-2023-20877, CVE-2023-20878, CVE-2023-20879, CVE-2023-20880

8.8, 6.6, 6.7, 6.4

important

KB92148

KB92148

N/A

****4. References****

****5. Change Log****

2023-05-11 VMSA-2023-0009

Initial security advisory.

****6. Contact****