Vulnerabilities

CVE-2023-34063 - VMWare Aria Automation Remote Access Authorization Vulnerability

Written by Critical Insight | Jan 18, 2024 8:07:51 PM

This advisory is for organizations that use VMWare Aria Automation for infrastructure automation.  If your organization does not use this product, this notification may be discarded.

Summary

VMWare has released security updates to address a missing access control in the Aria Automation platform.  This vulnerability could allow an authenticated remote attacker to gain access.

CVE-2023-34063 – VMware Aria Automation (formerly vRealize Automation) updates address a Missing Access Control vulnerability

                CSVVv3.1: 9.9

                Aria Automation contains a Missing Access Control vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.9.

Affected Platforms

Product

Version

CVSSv3

Severity

Fixed Version

VMware Aria Automation

8.14.x

9.9

Critical

8.14.1 + Patch

         

VMware Aria Automation

8.13.x

9.9

Critical

8.13.1 + Patch

         

VMware Aria Automation

8.12.x

9.9

Critical

8.12.2 + Patch

         

VMware Aria Automation

8.11.x

9.9

Critical

8.11.2 + Patch

         

VMware Cloud Foundation (Aria Automation)

5.x, 4.x

9.9

Critical

KB96136

 

Mitigations

A patch has been released.

To apply the patch, your system must be running the latest version of the major release. For example, if your system is on Aria Automation 8.12.1, you must first update to 8.12.2 before applying the patch.

After patching, the only supported upgrade path is to move to version 8.16 or a newer version.

Additional Resources

https://www.vmware.com/security/advisories/VMSA-2024-0001.html

https://kb.vmware.com/s/article/96098

https://core.vmware.com/resource/vmsa-2024-0001-questions-answers#are-there-more-details-on-the-vectors-of-the-individual-vulnerabilities