Aria Operations for Networks: Critical Vulnerabilities Discovered and Patched

Aria Operations for Networks, formerly known as vRealize Network Insight, recently encountered several critical vulnerabilities. VMware, the company behind the software, received private reports about these vulnerabilities and promptly released patches to address them. In this article, we will delve into the specifics of each vulnerability and provide information on how to resolve them effectively.

Aria Operations for Networks Command Injection Vulnerability (CVE-2023-20887):

Aria Operations for Networks was found to have a critical command injection vulnerability. VMware has categorized this vulnerability with a maximum CVSSv3 base score of 9.8, highlighting its severity.

Known Attack Vectors:

Exploiting this vulnerability, a malicious actor with network access to Aria Operations for Networks could potentially execute arbitrary code remotely through a command injection attack.

Resolution:

To mitigate CVE-2023-20887, VMware has released updates outlined in the ‘Fixed Version’ column of the ‘Response Matrix.’ Applying these updates will effectively remediate the vulnerability.

Product	Version	Running On	CVE Identifier	CVSSv3	Severity	Fixed Version	Workarounds
VMware Aria Operations Networks	6.x	Any	CVE-2023-20887, CVE-2023-20888, CVE-2023-20889	9.8, 9.1, 8.8	Critical	KB92684	None

References:

Fixed Version(s) and Release Notes: VMware Aria Operations for Networks (Operations for Logs) 6.x HF: KB92684
Mitre CVE Dictionary Links:
FIRST CVSSv3 Calculator:
- CVE-2023-20887: CVSSv3 Calculator
- CVE-2023-20888: CVSSv3 Calculator
- CVE-2023-20889: CVSSv3 Calculator