VMware addressed a critical bug in Carbon Black App Control
VMware
released
security
updates
to
address
a
critical
vulnerability,
tracked
as
CVE-2023-20858,
in
the
Carbon
Black
App
Control
product.
VMware
addressed
a
critical
injection
vulnerability,
tracked
as
(CVSSv3
score
9.1),
Carbon
Black
App
Control.
VMware
Carbon
Black
App
Control allows
organizations
to
ensure
that
only
trusted
and
approved
software
is
allowed
to
execute
on
their
critical
systems
and
endpoints.
An
attacker
with
privileged access
to
the
App
Control
administration
console can
trigger
the
issue
by
providing
specially
crafted
input
and
gaining
access
to
the
underlying
server operating
system.
“VMware
Carbon
Black
App
Control
contains an
injection
vulnerability.”
reads
the
advisory
published
by
the
virtualization
giant.
“A
malicious
actor
with
privileged access
to
the
App
Control
administration
console may
be
able
to use
specially
crafted
input
allowing
access
to
the
underlying
server operating
system.”
The
vulnerability
impacts
App
Control
versions
8.7.x,
8.8.x
and
8.9.x
for
Microsoft’s
Windows.
The
company
addressed
it
with
the
release
of
versions
8.9.4,
8.8.6,
8.7.8.
The
security
researcher
Jari
Jääskelä
privately
reported
the
vulnerability
through
the
company
bug
bounty
program
on
the
HackerOne
platform.
VMware
states
that
there
are
no
workarounds
for
this
vulnerability.
Follow
me
on
Twitter:
@securityaffairs
and
Facebook
and
Mastodon
(SecurityAffairs –
hacking,
Carbon
Black
App
Control)