Impacted Products
VMware’s product lineup, specifically VMware Aria Automation (formerly known as vRealize Automation) and VMware Cloud Foundation (incorporating Aria Automation), are currently in the spotlight due to a significant security vulnerability.
Introduction
A critical security concern, identified as a Missing Access Control vulnerability, has been discovered in Aria Automation. This issue was privately reported to VMware, and fortunately, updates to mitigate this vulnerability are now available for affected products.
Detailed Analysis of the Vulnerability (CVE-2023-34063)
Description: The core of the problem lies in a Missing Access Control vulnerability within Aria Automation. After a thorough evaluation, VMware has classified the severity of this issue as Critical, with a maximum CVSSv3 base score of 9.9.
Known Attack Vectors: This vulnerability is especially concerning because it allows an authenticated malicious actor to exploit it, potentially leading to unauthorized access to remote organizations and workflows.
Resolution: To address CVE-2023-34063, VMware advises applying patches as listed in the ‘Fixed Version’ column of the ‘Response Matrix’ provided below.
Workarounds: Currently, there are no available workarounds for this vulnerability.
Additional Documentation: For more information and clarification, VMware has released a supplemental FAQ, accessible at VMware Security Advisory FAQ.
Acknowledgments: This issue was brought to VMware’s attention thanks to the vigilance of the Commonwealth Scientific and Industrial Research Organisation’s (CSIRO) Scientific Computing Platforms team.
Response Matrix
The following table outlines the affected versions of VMware Aria Automation and VMware Cloud Foundation, along with the corresponding fixed versions:
Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
VMware Aria Automation | 8.16 | Any | CVE-2023-34063 | N/A | N/A | Unaffected | N/A | FAQ |
VMware Aria Automation | 8.14.x | Any | CVE-2023-34063 | 9.9 | Critical | 8.14.1 + Patch | N/A | FAQ |
VMware Aria Automation | 8.13.x | Any | CVE-2023-34063 | 9.9 | Critical | 8.13.1 + Patch | N/A | FAQ |
VMware Aria Automation | 8.12.x | Any | CVE-2023-34063 | 9.9 | Critical | 8.12.2 + Patch | N/A | FAQ |
VMware Aria Automation | 8.11.x | Any | CVE-2023-34063 | 9.9 | Critical | 8.11.2 + Patch | N/A | FAQ |
VMware Cloud Foundation (Aria Automation) | 5.x, 4.x | Any | CVE-2023-34063 | 9.9 | Critical | KB96136 | N/A | FAQ |
References and Resources
Fixed Version(s) and Release Notes:
Mitre CVE Dictionary Links and CVSSv3 Calculator:
Contact and Additional Information
For ongoing updates and security notifications:
This Security Advisory has been shared across multiple platforms, including security-announce@lists.vmware.com
, bugtraq@securityfocus.com
, and fulldisclosure@seclists.org
.
For direct inquiries, contact VMware at security@vmware.com
, and for their PGP key, visit VMware Knowledge Base Article 1055.
Further Resources:
- VMware Security Advisories
- VMware Security Response Policy
- VMware Lifecycle Support Phases
- VMware Security & Compliance Blog
- VMware Security Response Center on Twitter
🔥Subscribe to the channel: https://bit.ly/3vY16CT🔥
🚨Read my blog: https://angrysysops.com/
👊Twitter: https://twitter.com/AngrySysOps
👊Facebook: https://www.facebook.com/AngrySysOps
👊My Podcast: https://bit.ly/39fFnxm
👊Mastodon: https://techhub.social/@AngryAdmin