Broadcom disclosed a SQL injection vulnerability affecting VMware HCX, a key component used in multi-cloud infrastructures to enable application migration and disaster recovery.
The vulnerability tracked as CVE-2024-38814 with a CVSS score of 8.8 in which malicious authenticated users with non-administrator privileges may be able to enter specially crafted SQL queries and perform unauthorized remote code execution on the HCX manager. Low privileged users can potentially take control of the affected system, leading to severe consequences such as data breaches or service disruption
This vulnerability was reported to VMware by Sina Kheirkhah of the Summoning Team, working with Trend Micro’s Zero Day Initiative for discovering and reporting the vulnerability.
The advisory lists several affected versions of VMware HCX, including versions 4.10.x, 4.9.x, and 4.8.x. To mitigate this vulnerability, VMware recommends applying the following patches:
- VMware HCX 4.10.x: Update to version 4.10.1
- VMware HCX 4.9.x: Update to version 4.9.2
- VMware HCX 4.8.x: Update to version 4.8.3
VMware emphasizes the importance of immediate patching, as there are no workarounds available for this vulnerability.
