VMware has fixed a critical vulnerability (CVE-2023-20858) in Carbon Black App Control, its enterprise solution for preventing untrusted software from executing on critical systems and endpoints.
Affected Carbon Black App Control Versions
The following versions of VMware Carbon Black App Control, running on Microsoft Windows operating systems, are vulnerable to CVE-2023-20858:
- 8.7.x before 8.7.8
- 8.8.x before 8.8.6
- 8.9.x before 8.9.4
To exploit CVE-2023-20858 – an injection vulnerability that could allow a malicious actor to gain access to the underlying server operating system – the attacker must have privileged access to the App Control administration console and use specially crafted input.
Another advisory by VMware includes a high-severity vulnerability in its vRealize Orchestrator, vRealize Automation, and Cloud Foundation products. It is an XML External Entity (XXE) vulnerability tracked as CVE-2023-20855, with a CVSS score of 8.8.
Simultaneously, VMware has also released updates for:
- VMware vRealize Orchestrator (data center workflow automation platform)
- VMware vRealize Automation (multi-cloud and data center automation platform), and
- VMware Cloud Foundation (platform for managing on-premises VM and container workloads)