VMware has disclosed a critical vulnerability in its vCenter Server – and that it issued an update to fix it weeks ago, along with patches for unsupported versions of the software.
The soon-to-be-acquired-by-Broadcom virtualization giant on Wednesday delivered news that its implementation of the Distributed Computing Environment/Remote Procedure Calls (DCERPC) protocol contains an out-of-bounds write vulnerability.
CVE-2023-34048, as the vuln is now known, scored a 9.8/10 CVSSv3 score, as it enables a malicious actor with network access to vCenter Server to trigger an out-of-bounds write – potentially leading to remote code execution.
Virtzilla hasn’t seen anyone exploiting the flaw, but of course advises fixing it – fast.
Which is where things get a little odd. One way to address the situation is to adopt vCenter Server 8.0U2 – which was released on September 21. Yet an archived version of the release notes for 8.0U2 dated October 13 contains no mentions of security patches.