{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2023-036.pdf"
    },
    "title": "Critical Vulnerabilities in VMware Aria Operations for Networks",
    "serial_number": "2023-036",
    "publish_date": "08-06-2023 08:38:26",
    "description": "On June 7, 2023, VMware issued multiple security patches to address critical vulnerabilities in VMware Aria Operations for Networks, formerly known as vRealize Network Insight. The vulnerabilities allow attackers to gain remote execution or access sensitive information.<br>\nCERT-EU recommends upgrading as soon as possible.<br>\n",
    "url_title": "2023-036",
    "content_markdown": "--- \ntitle: 'Critical Vulnerabilities in VMware\u00a0Aria\u00a0Operations\u00a0for\u00a0Networks' \nversion: '1.0'\nnumber: '2023-036'\noriginal_date: 'June 7, 2023'\ndate: 'June 8, 2023'\n---\n\n_History:_\n\n* _08/06/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn June 7, 2023, VMware issued multiple security patches to address critical vulnerabilities in VMware Aria Operations for Networks, formerly known as vRealize Network Insight. The vulnerabilities allow attackers to gain remote execution or access sensitive information [1].\n\nCERT-EU recommends upgrading as soon as possible.\n\n# Technical Details\n\n- **CVE-2023-20887**\n\nThis critical severity vulnerability, with a CVSS score of 9.8 out of 10, allows an unauthenticated attacker to perform a command injection attack resulting in remote code execution.\n\n- **CVE-2023-20888**\n\nThis vulnerability, with a CVSS score of 9.1 out of 10, allows an authenticated attacker with a valid `member` role to perform a deserialisation attack resulting in remote code execution.\n\n- **CVE-2023-20889**\n\nThis vulnerability, with a CVSS score of 8.8 out of 10, allows unauthenticated attacker to perform a command injection attack resulting in information disclosure.\n\n# Affected Products\n\nVMware Aria Operations Networks version 6.x are affected by these vulnerabilities. The fixed version is KB92684 [1].\n\n# Recommendations\n\nCERT-EU highly recommends updating the affected products to the fixed version.\n\n# References\n\n[1] <https://www.vmware.com/security/advisories/VMSA-2023-0012.html>",
    "content_html": "<p><em>History:</em></p><ul><li><em>08/06/2023 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On June 7, 2023, VMware issued multiple security patches to address critical vulnerabilities in VMware Aria Operations for Networks, formerly known as vRealize Network Insight. The vulnerabilities allow attackers to gain remote execution or access sensitive information [1].</p><p>CERT-EU recommends upgrading as soon as possible.</p><h2 id=\"technical-details\">Technical Details</h2><ul><li><strong>CVE-2023-20887</strong></li></ul><p>This critical severity vulnerability, with a CVSS score of 9.8 out of 10, allows an unauthenticated attacker to perform a command injection attack resulting in remote code execution.</p><ul><li><strong>CVE-2023-20888</strong></li></ul><p>This vulnerability, with a CVSS score of 9.1 out of 10, allows an authenticated attacker with a valid <code>member</code> role to perform a deserialisation attack resulting in remote code execution.</p><ul><li><strong>CVE-2023-20889</strong></li></ul><p>This vulnerability, with a CVSS score of 8.8 out of 10, allows unauthenticated attacker to perform a command injection attack resulting in information disclosure.</p><h2 id=\"affected-products\">Affected Products</h2><p>VMware Aria Operations Networks version 6.x are affected by these vulnerabilities. The fixed version is KB92684 [1].</p><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU highly recommends updating the affected products to the fixed version.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.vmware.com/security/advisories/VMSA-2023-0012.html\">https://www.vmware.com/security/advisories/VMSA-2023-0012.html</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}