• EN

Critical vulnerability VMware Cloud Director Appliance (CVE-2023-34060)

  • 16 November 2023
  • 2 comments
  • 53 views
Stabz
Userlevel 7
Badge +7

URGENT SECURITY ALERT: VMware has issued a warning about a critical and unpatched vulnerability in Cloud Director. Tracked as CVE-2023-34060 with a CVSS score of 9.8, this flaw affects instances upgraded to version 10.5 from an older version.

On an upgraded version of VMware Cloud Director Appliance 10.5, a malicious actor with network access to the appliance can bypass login restrictions when authenticating on port 22 (ssh) or port 5480 (appliance management console). This bypass is not present on port 443 (VCD provider
and tenant login). On a new installation of VMware Cloud Director Appliance 10.5, the bypass is not present.

While a fix is pending, VMware has released a shell script (https://kb.vmware.com/s/article/95534) as a workaround. This temporary mitigation won't disrupt Cloud Director installations.

 

More information: https://www.vmware.com/security/advisories/VMSA-2023-0026.html

 

Philippe DUPUIS |Veeam Certified Engineer | https://original-network.com/

2 comments

TylerJurgens
Userlevel 7
Badge +6

What I found interesting about this one is it only affects upgraded VCD 10.5 installs. Fresh installs, or 10.4 and below are unaffected. 

Tyler Jurgens | Cloud Infrastructure Engineer | Veeam Legend x2 | vExpert ** | VMSP/VMTSP | VCP-2020 | VSP/VTSP | Tanzu Vanguard | VMUG Calgary Leader | VUG Canada Leader | https://explosive.cloud | @Tyler_Jurgens | BlueSky: @tylerjurgens.bsky.social
Chris.Childerhose
Userlevel 7
Badge +20

Thanks for sharing this.  I think we are on 10.4 still but will send this to my VMware team.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech

Comment


Terms & Conditions