VMware has released updates for Aria Automation, its multi-cloud infrastructure automation platform for public, private and hybrid clouds, to fix a critical vulnerability that could allow authenticated attackers to access remote organizations and workflows. VMware Cloud Foundation, a suite of software-defined services for setting up private clouds, is also impacted if the products were deployed using the Aria Suite Lifecycle Manager.
VMware describes the vulnerability (CVE-2023-34063) as a “missing access control” issue and rates it with 9.9 out of 10 on the CVSS severity scale. The flaw was privately reported to the company and VMware is not aware of any in-the-wild exploitation of the issue at this time.
Update Aria Automation before patching vulnerability
All supported versions of Aria Automation (formerly vRealize Automation) are affected. This includes versions 8.11.x, 8.12.x, 8.13.x and 8.14.x. While the company has released individual patches for each of these releases, it strongly recommends that users update the newly released 8.16 version. Users of affected VMware Cloud Foundation 4.x and 5.x deployments should use the VMware Aria Suite Lifecycle Manager to upgrade VMware Aria Automation to the fixed version.
“To apply the patch, your system must be running the latest version of the major release,” the company said in a FAQ document for the vulnerability. “For example, if your system is on Aria Automation 8.12.1, you must first update to 8.12.2 before applying the patch. After patching, the only supported upgrade path is to move to version 8.16 or a newer version.”
No action needed for Area Automation Cloud
Aria Automation Cloud is not affected as mitigations have already been implemented on the server side by VMware which runs the service. VMware vCenter, VMware ESXi and Aria Orchestrator are also not affected, but notes that as of version 8.16 access to Automation Orchestrator is now governed by separate Orchestrator service roles. The company also warns that if users choose to upgrade to intermediate versions, for example from 8.12.x to 8.13.x instead of upgrading to 8.16, the vulnerability will be reintroduced and a new round of patching will be required.
“There may be other mitigations and compensating controls that could be applicable within your organization, dependent on your security posture, defense-in-depth strategies, and the configurations of perimeter and appliance firewalls,” the company said. “Each organization must assess for themselves whether to rely on these protections and how to effectively configure these measures for their environment.”