VMSA-2024-0001

VMware Security Advisory

Critical

Advisory ID:
VMSA-2024-0001

CVSSv3 Range:
9.9

Issue Date:
2024-01-16

Updated On:
2024-01-16 (Initial Advisory)

CVE(s):
CVE-2023-34063

Synopsis:
VMware Aria Automation (formerly vRealize Automation) updates address a Missing Access Control vulnerability (CVE-2023-34063)

1. Impacted Products

VMware Aria Automation (formerly vRealize Automation)
VMware Cloud Foundation (Aria Automation)

2. Introduction

A Missing Access Control vulnerability in Aria Automation was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.

3. Aria Automation Missing Access Control Vulnerability (CVE-2023-34063)

Description

Aria Automation contains a Missing Access Control vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.9.

Known Attack Vectors

An authenticated malicious actor may exploit this vulnerability leading to unauthorized access to remote organizations and workflows.

Resolution

To remediate CVE-2023-34063 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds

None.  

Additional Documentation

A supplemental FAQ was created for additional clarification. Please see: https://via.vmw.com/vmsa-2024-0001-qna

Notes

None.

Acknowledgements

VMware would like to thank Commonwealth Scientific and Industrial Research Organisation’s (CSIRO) Scientific Computing Platforms team for reporting this issue to us.

Response Matrix

Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation

VMware Aria Automation

8.16

Any

CVE-2023-34063

N/A

N/A

Unaffected

N/A

FAQ

VMware Aria Automation

8.14.x

Any

CVE-2023-34063

9.9

critical

8.14.1 + Patch

N/A

FAQ

VMware Aria Automation

8.13.x

Any

CVE-2023-34063

9.9

critical

8.13.1 + Patch

N/A

FAQ

VMware Aria Automation

8.12.x

Any

CVE-2023-34063

9.9

critical

8.12.2 + Patch

N/A

FAQ

VMware Aria Automation

8.11.x

Any

CVE-2023-34063

9.9

critical

8.11.2 + Patch

N/A

FAQ

VMware Cloud Foundation (Aria Automation)

5.x, 4.x

Any

CVE-2023-34063

9.9

critical

KB96136

N/A

FAQ

4. References

Fixed Version(s) and Release Notes:
Downloads and Documentation:
https://customerconnect.vmware.com/en/downloads/info/slug/infrastructure_operations_management/vmware_aria_automation/8_16
https://customerconnect.vmware.com/patch
https://docs.vmware.com/en/VMware-Aria-Automation/services/rn/vmware-aria-automation-release-notes/index.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34063
FIRST CVSSv3 Calculator:
CVE-2023-34063: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H

5. Change Log

2024-01-16 VMSA-2024-0001
Initial security advisory.  

6. Contact

E-mail: security@vmware.com
PGP key at: https://kb.vmware.com/kb/1055 
VMware Security Advisories https://www.vmware.com/security/advisories 
VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html 
VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html 
VMware Security & Compliance Blog   https://blogs.vmware.com/security 
Twitter https://twitter.com/VMwareSRC
 
Copyright 2024 Broadcom. All rights reserved.  

CLICK FOR MORE INFORMATION