Comment on page
Advisory on CVE-2023-34048
On October 25, 2023, VMWare disclosed a vulnerability in its vCenter Server Security Issues. This vulnerability enables a malicious actor with network access to a vCenter Server to trigger an out-of-bounds write – potentially leading to remote code execution. The CVE ID CVE-2023-34048 is assigned to this vulnerability and has a Critical severity with Common Vulnerability Scoring System (CVSS) of 9.8 score.
IONOS Cloud customers access their Private Cloud’s vCenter server via an IONOS-provided dedicated Virtual Private Network (VPN). Every Private Cloud customer has a dedicated VPN, and another customer of IONOS cannot access the vCenter Server instance of another. This reduces the attack surface from external entities. Therefore, we consider this issue to be Medium for our customer environment as the reachability of the attack is not public but restricted.
We do not see any active sign of exploitation of this vulnerability, and no public exploit is known yet.
IONOS Cloud provides VServer over a secure virtual private network, which mitigates the risk of exploitation from external entities. We have already initiated the steps to remediate the vulnerability by upgrading the VMWare vCenter version. IONOS Cloud owns the patching responsibility, and there is no action required from the customer.
IONOS Cloud will start to update all VMware vCenter servers on November 6, 2023.
During the upgrade, you can restrict access to vCenter for up to 1 hour.