This advisory is for organizations that use VMWare Aria Automation for infrastructure automation. If your organization does not use this product, this notification may be discarded.
Summary
VMWare has released security updates to address a missing access control in the Aria Automation platform. This vulnerability could allow an authenticated remote attacker to gain access.
CVE-2023-34063 – VMware Aria Automation (formerly vRealize Automation) updates address a Missing Access Control vulnerability
CSVVv3.1: 9.9
Aria Automation contains a Missing Access Control vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.9.
Affected Platforms
Product |
Version |
CVSSv3 |
Severity |
Fixed Version |
VMware Aria Automation |
8.14.x |
9.9 |
Critical |
8.14.1 + Patch |
VMware Aria Automation |
8.13.x |
9.9 |
Critical |
8.13.1 + Patch |
VMware Aria Automation |
8.12.x |
9.9 |
Critical |
8.12.2 + Patch |
VMware Aria Automation |
8.11.x |
9.9 |
Critical |
8.11.2 + Patch |
VMware Cloud Foundation (Aria Automation) |
5.x, 4.x |
9.9 |
Critical |
KB96136 |
Mitigations
A patch has been released.
To apply the patch, your system must be running the latest version of the major release. For example, if your system is on Aria Automation 8.12.1, you must first update to 8.12.2 before applying the patch.
After patching, the only supported upgrade path is to move to version 8.16 or a newer version.
Additional Resources
https://www.vmware.com/security/advisories/VMSA-2024-0001.html
https://kb.vmware.com/s/article/96098