VMware Patches Flaw Exposing Admin Credentials in Tanzu Application Service for VMs
VMware has addressed an information disclosure vulnerability, CVE-2023-20891   , affecting its Tanzu Application Service for VMs and Isolation Segment products  . This vulnerability allows remote attackers with low privileges to gain access to Cloud Foundry (CF) API admin credentials on unpatched systems .
The vulnerability stems from the logging of credentials in hex encoding in the platform system audit logs   . By extracting the hex-encoded CF API admin credentials from these logs, a malicious non-admin user could potentially compromise the entire system’s security by pushing malicious versions of applications. It is important to note that non-admin users typically do not have access to these logs in a default deployment, which mitigates some of the risks.
VMware recommends affected users to rotate their CF API admin credentials as a precautionary measure . They provide a guide on changing the credentials , but caution that it is not officially supported . Additionally, VMware has addressed other security bugs in the past month .
To protect against this vulnerability, users are advised to apply the patches released by VMware and rotate their CF API admin credentials  . This vulnerability has been classified as “Moderate” with a CVSS v3 base score of 6.5. It is crucial for affected users to take these precautions to safeguard their systems and prevent potential unauthorized access.
VMware, information disclosure vulnerability, CVE-2023-20891, Tanzu Application Service for VMs, Isolation Segment, remote attackers, low privileges, gain access, Cloud Foundry, CF API admin credentials, unpatched systems, logging, hex encoding, platform system audit logs, malicious non-admin user, compromise, security, push malicious versions of applications, non-admin users, default deployment, mitigate risks, rotate, precautionary measure, guide, officially supported, security bugs, patches, classified as “Moderate”, CVSS v3 base score, safeguard, systems, prevent unauthorized access.