VMware Aria Automation and Cloud Foundation Critical Security Vulnerability

As an Angry Admin, I’m here to keep you informed about the latest security threats and vulnerabilities in the virtualization world. Recently, VMware’s product lineup has come under the spotlight due to a significant security vulnerability. Specifically, Aria Automation (formerly known as vRealize Automation) and VMware Cloud Foundation, which incorporates Aria Automation, have been affected by a critical security concern.

A Missing Access Control vulnerability has been discovered in Aria Automation, and while VMware is yet to release an official advisory, I’ve got all the information you need to know about this issue.

What’s the vulnerability?

The core of the problem lies in a Missing Access Control vulnerability within Aria Automation. After a thorough evaluation, VMware has classified the severity of this issue as Critical, with a maximum CVSSv3 base score of 9.9. This vulnerability is especially concerning because it allows an authenticated malicious actor to exploit it, potentially leading to unauthorized access to remote organizations and workflows.

What versions are affected?

The following table outlines the affected versions of VMware Aria Automation and VMware Cloud Foundation, along with the corresponding fixed versions:

Fixed Version(s) and Release Notes:

Mitre CVE Dictionary Links and CVSSv3 Calculator: For ongoing updates and security notifications, you can check the VMware Security Advisory page.

How to mitigate the vulnerability?

To address CVE-2023-34063, VMware advises applying patches as listed in the ‘Fixed Version’ column of the ‘Response Matrix’ provided below. Currently, there are no available workarounds for this vulnerability.

Additional Documentation: For more information and clarification, VMware has released a supplemental FAQ, accessible at VMware Security Advisory FAQ. Acknowledgments: This issue was brought to VMware’s attention thanks to the vigilance of the Commonwealth Scientific and Industrial Research Organisation’s (CSIRO) Scientific Computing Platforms team.

The security advisory has been shared across multiple platforms, including security-announce@lists.vmware.com, bugtraq@securityfocus.com, and fulldisclosure@seclists.org. For direct inquiries, contact VMware at security@vmware.com, and for their PGP key, visit VMware Knowledge Base Article 1055.

Further Resources:

Subscribe to the channel: https://bit.ly/3vY16CT

Read my blog: https://angrysysops.com/

Twitter: https://twitter.com/AngrySysOps

Facebook: https://www.facebook.com/AngrySysOps

My Podcast: https://bit.ly/39fFnxm

Mastodon: https://techhub.social/@AngryAdmin

This security advisory has been updated to include additional information and clarification on the affected versions and mitigation steps. As always, stay vigilant and keep your virtualization infrastructure up-to-date with the latest patches and updates.