Critical Vulnerability in VMware Aria Automation: Understanding and Mitigating the Risk

Impacted Products

VMware’s product lineup, specifically VMware Aria Automation (formerly known as vRealize Automation) and VMware Cloud Foundation (incorporating Aria Automation), are currently in the spotlight due to a significant security vulnerability.

Introduction

A critical security concern, identified as a Missing Access Control vulnerability, has been discovered in Aria Automation. This issue was privately reported to VMware, and fortunately, updates to mitigate this vulnerability are now available for affected products.

Detailed Analysis of the Vulnerability (CVE-2023-34063)

Description: The core of the problem lies in a Missing Access Control vulnerability within Aria Automation. After a thorough evaluation, VMware has classified the severity of this issue as Critical, with a maximum CVSSv3 base score of 9.9.

Known Attack Vectors: This vulnerability is especially concerning because it allows an authenticated malicious actor to exploit it, potentially leading to unauthorized access to remote organizations and workflows.

Resolution: To address CVE-2023-34063, VMware advises applying patches as listed in the ‘Fixed Version’ column of the ‘Response Matrix’ provided below.

Workarounds: Currently, there are no available workarounds for this vulnerability.

Additional Documentation: For more information and clarification, VMware has released a supplemental FAQ, accessible at VMware Security Advisory FAQ.

Acknowledgments: This issue was brought to VMware’s attention thanks to the vigilance of the Commonwealth Scientific and Industrial Research Organisation’s (CSIRO) Scientific Computing Platforms team.

Buy my book and help to develop this blog

Response Matrix

The following table outlines the affected versions of VMware Aria Automation and VMware Cloud Foundation, along with the corresponding fixed versions:

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
VMware Aria Automation8.16AnyCVE-2023-34063N/AN/AUnaffectedN/AFAQ
VMware Aria Automation8.14.xAnyCVE-2023-340639.9Critical 8.14.1 + PatchN/AFAQ
VMware Aria Automation8.13.xAnyCVE-2023-340639.9Critical 8.13.1 + PatchN/AFAQ
VMware Aria Automation8.12.xAnyCVE-2023-340639.9Critical 8.12.2 + PatchN/AFAQ
VMware Aria Automation8.11.xAnyCVE-2023-340639.9Critical 8.11.2 + PatchN/AFAQ
VMware Cloud Foundation (Aria Automation)5.x, 4.xAnyCVE-2023-340639.9Critical KB96136N/AFAQ

References and Resources

Fixed Version(s) and Release Notes:

Mitre CVE Dictionary Links and CVSSv3 Calculator:

Contact and Additional Information

For ongoing updates and security notifications:

This Security Advisory has been shared across multiple platforms, including security-announce@lists.vmware.com, bugtraq@securityfocus.com, and fulldisclosure@seclists.org.

For direct inquiries, contact VMware at security@vmware.com, and for their PGP key, visit VMware Knowledge Base Article 1055.

Further Resources:

🔥Subscribe to the channel: https://bit.ly/3vY16CT🔥

🚨Read my blog: https://angrysysops.com/

👊Twitter: https://twitter.com/AngrySysOps
👊Facebook: https://www.facebook.com/AngrySysOps
👊My Podcast: https://bit.ly/39fFnxm
👊Mastodon: https://techhub.social/@AngryAdmin

Please leave the comment