Advisory on CVE-2023-34048

VMware vCenter Server out-of-bounds write vulnerability

On October 25, 2023, VMWare disclosed a vulnerability in its vCenter Server Security Issues. This vulnerability enables a malicious actor with network access to a vCenter Server to trigger an out-of-bounds write – potentially leading to remote code execution. The CVE ID CVE-2023-34048 is assigned to this vulnerability and has a Critical severity with Common Vulnerability Scoring System (CVSS) of 9.8 score.

Impacted IONOS Cloud Products

Risk on IONOS Cloud customer environment

IONOS Cloud customers access their Private Cloud’s vCenter server via an IONOS-provided dedicated Virtual Private Network (VPN). Every Private Cloud customer has a dedicated VPN, and another customer of IONOS cannot access the vCenter Server instance of another. This reduces the attack surface from external entities. Therefore, we consider this issue to be Medium for our customer environment as the reachability of the attack is not public but restricted.

We do not see any active sign of exploitation of this vulnerability, and no public exploit is known yet.

What action has IONOS Cloud taken to mitigate the severity?

IONOS Cloud provides VServer over a secure virtual private network, which mitigates the risk of exploitation from external entities. We have already initiated the steps to remediate the vulnerability by upgrading the VMWare vCenter version. IONOS Cloud owns the patching responsibility, and there is no action required from the customer.

IONOS Cloud will start to update all VMware vCenter servers on November 6, 2023.

What is the customer impact during the upgrade?

During the upgrade, you can restrict access to vCenter for up to 1 hour.

How can I get help?

If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.