A critical bug in VMware’s vCenter Server needs patching as soon as possible.
VMware said its implementation of the DCE/RPC (distributed computing environment remote procedure calls) protocol contained an out-of-bounds write vulnerability.
“In ITIL parlance this would be considered an emergency change, and your organisation should consider acting quickly,” the vendor said.
Rated 9.8 on the CVSS scale, CVE-2023-34048 can be exploited for remote code execution.
Two other products, vSphere and vCloud, also use vCenter and need to be patched.
In an explanatory blog post, VMware said several branches of the software are impacted: vSphere 6.5, 6.7, 7.0, 8.0.1, and 8.0.2.
The company has taken the relatively rare step of patching end-of-life products, “due to the critical severity of this vulnerability and lack of workaround”.
End-of-life products covered are vCenter Server 6.7U3, 6.5U3, and VCF 3.x.
“For the same reasons, VMware has made additional patches available for vCenter Server 8.0U1,” the advisory said.
“Async vCenter Server patches for VCF 5.x and 4.x deployments have been made available.”
VMware said it is not aware of any exploits in the wild.
CVE-2023-34048 was discovered by Grigory Dorodnov of Trend Micro’s Zero Day Initiative.
A second lower-rated bug, CVE-2023-34056 (CVSS 4.3) was also patched.
This is described as a “partial information disclosure” vulnerability. “A malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorised data,” the advisory said.
It was disclosed by Oleg Moshkov of Deiteriy Lab.