VMware vRealize Operations (vROps) Cross-Site Request Forgery Bypass Vulnerability (CVE-2023-20856)

VMware has released a patch for the cross-site request forgery vulnerability in the VMware vRealize Operations (vROps). Tracked as CVE-2023-20856, this vulnerability can be exploited by a malicious attacker to execute actions on the target platform on behalf of the authenticated victim user. 
VMware vRealize® Operations automates and streamlines IT administration. The tool offers full-stack visibility from physical, virtual, and cloud infrastructure, including Virtual Machines (VMs) and containers to the supported applications. It offers ongoing performance optimization, effective cost and capacity management, proactive planning, troubleshooting, and integrated compliance. The tool is available on-premises and as-a-service. 


CVE-2023-20856 is a cross-site request forgery vulnerability affecting the VMware vRealize Operations (vROps). The attack vectors of this vulnerability show that the vulnerability can be exploited in a low-complexity environment without the need for any privileges. A malicious remote attacker can exploit this vulnerability to perform tasks on the vROps platform on behalf of the authenticated victim user. 
Cross-site request forgery (CSRF) vulnerability is a web security flaw that enables attackers to trick users into taking actions they do not intend to perform. It allows an attacker to partially bypass the same origin policy, which is meant to prevent various websites from interfering with one another. 
There are three conditions to be fulfilled to make a CSRF attack possible. The three conditions are:

  1. A relevant action  
  2. Cookie-based session handling 
  3. No unpredictable request parameters 

To prevent the CSFR attack, the following defenses can be incorporated: 

  1. CSRF tokens 
  2. SameSite cookies 
  3. Referer-based validation
Affected versions

VMware vRealize Operations (vROps) 8.6.x prior to build 21139695 are affected by these vulnerabilities. 


Customers are recommended to upgrade to build 21139695 to patch the vulnerability. For more information about the mitigation, please refer to VMware Security Advisory (VMSA-2023-0002). 

Steps to download the vRealize Operations 8.6 Hot Fix 9

VMware vRealize Operations 8.6 Hot Fix 9 can be applied to any 8.6 environment. It is not recommended to upgrade from an older version to this Hot Fix directly. Before installing this Hot Fix, you must upgrade to 8.6. 
Here are the steps to be followed:

  1. Download the vRealize Operations 8.6 Hot Fix 9 PAK file from the VMware Patch Portal. 

Note: Select vRealize Operations Manager as the Product, 8.6 as the version, and click Search. 
Select the option below.

Release Name  Release Date  Build Number  File Name 
vROps-8.6-HF9  1/31/2023  21139695  vRealize_Operations_Manager_With_CP-8.x-to- 
  1. Log in to your cluster’s primary node vRealize Operations Manager Administrator interface at https://master-node-FQDN-or-IP-address/admin. 
  2. Click Software Update in the left panel. 
  3. Click Install a Software Update in the main panel. 
  4. Follow the steps in the wizard to locate and install your PAK file. 
  5. Install the product update PAK file. Wait for the software update to complete. When it does, the Administrator interface logs you out. 
  6. Log back into the primary node Administrator interface. The main Cluster Status page appears, and the cluster goes online automatically. The status page also displays the Bring Online button, but please do not click it. 
  7. Clear the browser caches and refresh the page if the browser page does not refresh automatically. The cluster status changes to Going Online. When the cluster status changes to Online, the upgrade is complete. 

Note: If a cluster fails and the status changes to offline during the installation process of a PAK file update, some nodes become unavailable. To fix this, you can access the Administrator interface, manually take the cluster offline, and click Finish Installation to continue the installation process. 

  1. Click Software Update to check that the update is done—a message indicating that the update has been completed successfully appears in the main pane. 

For more information, please refer to KB90672. 
Qualys Detection 
Qualys customers can scan their devices with QID 730722 to detect vulnerable assets. 
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.  

Leave a Reply

Your email address will not be published. Required fields are marked *