A critical OS Command injection and File upload vulnerabilities were affecting the VMware Carbon Black App Control (AppC). VMware has fixed the issues and has released patches for the same. The details of the vulnerability are as follows:
Advisory ID:
VMSA-2022-0008
CVSSv3 Range:
9.1
Issue Date:
2022-03-23
Updated On:
2022-03-23 (Initial Advisory)
CVE(s):
CVE-2022-22951, CVE-2022-22952
Synopsis:
VMware Carbon Black App Control update addresses multiple vulnerabilities (CVE-2022-22951, CVE-2022-22952)
Products that are impacted
- VMware Carbon Black App Control (AppC)
CVE-2022-22951 (OS command injection vulnerability in VMware Carbon Black App Control)
Summary
An OS command Injection was found in the VMware Carbon Black App Control which was given a maximum CVSSv3 base score of 9.1 by VMware. An attacker with high privilege authentication to the VMware App Control administration interface can execute commands on the server which was due to the improper validation of input leading to remote code execution.
Remediation
For remediating this issue, VMware has released patches along with Response Matrix and Fixed version details.
Thanks to the Reporter
VMware also thanked Jari Jääskelä for reporting this issue.
CVE-2022-22952 (File Upload Vulnerability VMware Carbon Black App Control)
Summary
A file upload vulnerability was found in the VMware Carbon Black App Control which was given a maximum CVSSv3 base score of 9.1 by VMware. An attacker with high privilege authentication to the VMware App Control administration interface can execute commands on the Windows instance in which the AppC server is hosted by uploading a specially crafted file.
Remediation
For remediating this issue, VMware has released patches along with Response Matrix and Fixed version details.
Thanks to the Reporter
VMware also thanked Jari Jääskelä for reporting this issue.
Fixed Version
VMware Carbon Black App Control 8.8.2, 8.7.4, 8.6.6, 8.5.14 have these issues fixed and updated. VMware has provided release notes for these patches.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
