Two vulnerabilities, one critical and one high, have been reported affecting VMware Aria Operations for Logs. The first could allow an attacker to run arbitrary code/commands as root. An unauthenticated attacker, with network access to the affected product, could exploit this critical deserialization vulnerability and execute arbitrary code as root. The identifier CVE-2023-20864 has been assigned for this vulnerability. In the second case, an attacker with administrative privileges on the affected product could exploit the command injection vulnerability and execute arbitrary commands as root. The identifier CVE-2023-20865 has been assigned for this vulnerability.

Affected Versions

VMware Aria Operations for Logs versions:

8.10.2;
8.10;
8.8.x;
8.6.x;
4.x.

Recommendations

Update to versions:

VMware Cloud Foundation (VMware Aria Operations for Logs) KB91865
VMware Aria Operations for Logs (Operations for Logs) 8.12

Reference

https://www.vmware.com/security/advisories/VMSA-2023-0007.html