VMware reveals critical vCenter vuln that you may have patched already without knowing it

From theregister.com

VMware has disclosed a critical vulnerability in its vCenter Server – and that it issued an update to fix it weeks ago, along with patches for unsupported versions of the software.

The soon-to-be-acquired-by-Broadcom virtualization giant on Wednesday delivered news that its implementation of the Distributed Computing Environment/Remote Procedure Calls (DCERPC) protocol contains an out-of-bounds write vulnerability.

CVE-2023-34048, as the vuln is now known, scored a 9.8/10 CVSSv3 score, as it enables a malicious actor with network access to vCenter Server to trigger an out-of-bounds write – potentially leading to remote code execution.

Virtzilla hasn’t seen anyone exploiting the flaw, but of course advises fixing it – fast.

Which is where things get a little odd. One way to address the situation is to adopt vCenter Server 8.0U2 – which was released on September 21. Yet an archived version of the release notes for 8.0U2 dated October 13 contains no mentions of security patches.

Read more…