VMware has released a security upgrade to address a critical injection vulnerability that impacts several versions of Carbon Black App Control for Windows. Injection vulnerabilities allow attackers to execute code or commands in a target application. The security rating of this vulnerability is a 9.1 out of 10 and allows for an attacker to leverage it to gain access to the underlying operating system using a specially crafted input. This vulnerability is tracked as CVE-2023-20858 and was discovered by a security analyst named Jari Jääskelä.
This vulnerability affects Carbon Black App Control for Windows version 8.7.7 and older, version 8.8.5 and older, and version 8.9.3 and older. VMware recommends that administrators upgrade to versions 8.9.4, 8.8.6, or 8.7.8 as soon as possible – no workarounds or mitigation advice was provided in their announcement. These patches follow an additional patch from VMware on Monday where they patched CVE-2023-20855, a high-severity XXE injection flaw that impacted VMware Orchestrator below v8.11.1, vRealize Automation below v8.11.1, and VMware Cloud Foundation 4.x.