VMware's Response To CVE-2023-20864 and CVE-2023-20865
Article ID: 320332
Updated On:
Products
VMware
Issue/Introduction
The purpose of this article is to provide some additional information relating to VMSA-2023-0007 .
In addition, please see KB91441 for details of a certificate issue that impacts all versions of VMware Aria Operations for Logs (formerly vRealize Log Insight).
This issue is resolved in the fixed version documented in the VMSA
In addition, please see KB91441 for details of a certificate issue that impacts all versions of VMware Aria Operations for Logs (formerly vRealize Log Insight).
This issue is resolved in the fixed version documented in the VMSA
Resolution
Who is affected?
Customers who have deployed versions of VMware Aria Operations for Logs (formerly vRealize Log Insight) as documented in the VMSA
When do I need to act?
CVE-2023-20864 is a critical issue and should be patched immediately as per the instructions in the advisory.
It needs to be highlighted that only version 8.10.2 is impacted by this vulnerability. (CVE-2023-20864)
Other versions VMware Aria Operations for Logs (formerly vRealize Log Insight) are impacted by CVE-2023-20865 but this has a lower CVSSv3 score of 7.2.
What should I do about the issue documented in KB91441 (Expiring Certificate)
Upgrading to the fixed version will mitigate all of the security vulnerabilities and also resolve the certificate issue documented in the KB article.
What should I do to protect myself?
To fully protect yourself and your organization, VMware recommends upgrading to the fixed version as documented in the advisory
There may be other protections available in your organization, depending on your security posture, defense-in-depth strategies, and configurations of virtual machines. All organizations must decide for themselves whether to rely on those protections.
I have feedback about the products and/or processes. How do I provide it to you?
VMware appreciates any and all feedback on our products and processes. Please contact your Account Executive, Solutions Engineer, or Technical Account Manager. They have processes for submitting feedback on your behalf.
Customers who have deployed versions of VMware Aria Operations for Logs (formerly vRealize Log Insight) as documented in the VMSA
When do I need to act?
CVE-2023-20864 is a critical issue and should be patched immediately as per the instructions in the advisory.
It needs to be highlighted that only version 8.10.2 is impacted by this vulnerability. (CVE-2023-20864)
Other versions VMware Aria Operations for Logs (formerly vRealize Log Insight) are impacted by CVE-2023-20865 but this has a lower CVSSv3 score of 7.2.
What should I do about the issue documented in KB91441 (Expiring Certificate)
Upgrading to the fixed version will mitigate all of the security vulnerabilities and also resolve the certificate issue documented in the KB article.
What should I do to protect myself?
To fully protect yourself and your organization, VMware recommends upgrading to the fixed version as documented in the advisory
There may be other protections available in your organization, depending on your security posture, defense-in-depth strategies, and configurations of virtual machines. All organizations must decide for themselves whether to rely on those protections.
I have feedback about the products and/or processes. How do I provide it to you?
VMware appreciates any and all feedback on our products and processes. Please contact your Account Executive, Solutions Engineer, or Technical Account Manager. They have processes for submitting feedback on your behalf.
Feedback
Yes
No
Powered by
