VMware patches critical injection flaw in Carbon Black App Control (CVE-2023-20858)
VMware has fixed a critical vulnerability (CVE-2023-20858) in Carbon Black App Control, its enterprise solution for preventing untrusted software from executing on critical systems and endpoints.
Even though the flaw has been privately reported to VMware, and there is no mention of it being actively exploited, admins are urged to upgrade to a fixed version as soon as possible.
To exploit CVE-2023-20858 – an injection vulnerability that could allow a malicious actor to gain access to the underlying server operating system – the attacker must have privileged access to the App Control administration console and use specially crafted input.
Flagged by bug hunter Jari Jääskelä, the vulnerability has been fixed in Carbon Black App Control versions 8.9.4, 8.8.6 and 8.7.8. There are no available workarounds or mitigations.
Simultaneously, VMware has also released updates for:
- VMware vRealize Orchestrator (data center workflow automation platform)
- VMware vRealize Automation (multi-cloud and data center automation platform), and
- VMware Cloud Foundation (platform for managing on-premises VM and container workloads)
Those updates fix CVE-2023-20855, an “important” XML External Entity (XXE) vulnerability.
“A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges,” the company explained. Once again, no workarounds are available, so updating is advised.