===================================================================== CERT-Renater Note d'Information No. 2023/VULN093 _____________________________________________________________________ DATE : 23/02/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running VMware vRealize Orchestrator versions prior to 8.11.1, VMware vRealize Automation versions prior to 8.11.1, VMware Cloud Foundation (vRealize Automation) versions prior to KB90926. ===================================================================== https://www.vmware.com/security/advisories/VMSA-2023-0005.html _____________________________________________________________________ Important Advisory ID: VMSA-2023-0005 CVSSv3 Range: 8.8 Issue Date: 2023-02-21 Updated On: 2023-02-21 (Initial Advisory) CVE(s): CVE-2023-20855 Synopsis: VMware vRealize Orchestrator update addresses an XML External Entity (XXE) vulnerability (CVE-2023-20855) 1. Impacted Products VMware vRealize Orchestrator VMware vRealize Automation VMware Cloud Foundation (Cloud Foundation) 2. Introduction An XML External Entity (XXE) vulnerability affecting VMware vRealize Orchestrator was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products. 3. XML External Entity (XXE) Vulnerability (CVE-2023-20855) Description VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8. Known Attack Vectors A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges. Resolution To remediate CVE-2023-20855 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below. Workarounds None. Additional Documentation None. Notes VMware vRealize Automation 8.x is affected since it uses embedded vRealize Orchestrator. Acknowledgements VMware would like to thank IT.NRW for reporting this issue to us. Response Matrix Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation VMware vRealize Orchestrator 8.x Virtual Appliance CVE-2023-20855 8.8 important 8.11.1 None None VMware vRealize Automation 8.x Any CVE-2023-20855 8.8 important 8.11.1 None None Impacted Product Suites that Deploy Response Matrix Components: Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation VMware Cloud Foundation (vRealize Automation) 4.x Any CVE-2023-20855 8.8 important KB90926 None None 4. References VMware vRealize Orchestrator 8.11.1 Downloads and Documentation: https://customerconnect.vmware.com/en/downloads/details?downloadGroup=VROVA-8111&productId=1399&rPId=101376 https://docs.vmware.com/en/vRealize-Orchestrator/8.11.1/rn/vmware-vrealize-orchestrator-8111-release-notes/index.html VMware vRealize Automation 8.11.1 Downloads and Documentation: https://customerconnect.vmware.com/en/downloads/info/slug/infrastructure_operations_management/vmware_vrealize_automation/8_11 https://docs.vmware.com/en/vRealize-Automation/services/rn/vrealize-automation-release-notes/index.html VMware Cloud Foundation (vRealize Automation) KB90926: https://kb.vmware.com/s/article/90926 Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20855 FIRST CVSSv3 Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 5. Change Log 2023-02-21 VMSA-2023-0005 Initial security advisory. 6. Contact E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2023 VMware Inc. All rights reserved. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================