=================================================================== CERT-Renater Note d'Information No. 2023/VULN092 _____________________________________________________________________ DATE : 23/02/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S):Systems running VMware Carbon Black App Control versions prior to 8.9.4, 8.8.6, 8.7.8. ====================================================================https://www.vmware.com/security/advisories/VMSA-2023-0004.html _____________________________________________________________________ Critical Advisory ID: VMSA-2023-0004 CVSSv3 Range: 9.1 Issue Date: 2023-02-21 Updated On: 2023-02-21 (Initial Advisory) CVE(s): CVE-2023-20858 Synopsis: VMware Carbon Black App Control updates address an injection vulnerability (CVE-2023-20858) 1. Impacted Products VMware Carbon Black App Control (App Control) 2. Introduction An injection vulnerability affecting VMware Carbon Black App Control was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products. 3. Injection Vulnerability (CVE-2023-20858) Description VMware Carbon Black App Control contains an injection vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.1. Known Attack Vectors A malicious actor with privileged access to the App Control administration console may be able to use specially crafted input allowing access to the underlying server operating system. Resolution To remediate CVE-2023-20858 update to the versions listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Notes None. Acknowledgements VMware would like to thank Jari Jääskelä (@JJaaskela) for reporting this vulnerability to us. Response Matrix Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation App Control 8.9.x Windows CVE-2023-20858 9.1 critical 8.9.4 None None App Control 8.8.x Windows CVE-2023-20858 9.1 critical 8.8.6 None None App Control 8.7.x Windows CVE-2023-20858 9.1 critical 8.7.8 None None 4. References Downloads and Documentation: VMware Carbon Black App Control 8.9.4 https://docs.vmware.com/en/VMware-Carbon-Black-App-Control/services/cb-ac-announcements/GUID-7464A525-BCF4-4329-9228-B040C9C16D22.html VMware Carbon Black App Control 8.7.8, 8.8.6 https://docs.vmware.com/en/VMware-Carbon-Black-App-Control/services/cb-ac-announcements/GUID-35DA49E4-41F3-485B-88E5-AE69B354F2FB.html Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20858 FIRST CVSSv3 Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 5. Change Log 2023-02-21 VMSA-2023-0004 Initial security advisory. 6. Contact E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC ========================================================+ CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =======================================================