VMware Aria Automation Missing Access Control Vulnerability (CVE-2023-34063)

Qualys Security Advisory

The Commonwealth Scientific and Industrial Research Organization’s (CSIRO) Scientific Computing Platforms team discovered an access control vulnerability impacting VMware Aria Automation. CVE-2023-34063 has a critical severity rating with a CVSS score of 9.9. The vulnerability may allow an authenticated malicious actor to get unauthorized access to remote organizations and workflows. An authenticated attacker may exploit the vulnerability in a low-complexity attack over the network.

VMware Aria Automation (formerly vRealize Automation) is a multi-cloud infrastructure automation platform that enhances cloud experience. The platform provides a secure, self-service multi-cloud with governance and resource lifecycle management across VMware and public clouds.

Affected versions

  • VMware Aria Automation 8.14.x before patch number 23104270
  • VMware Aria Automation 8.13.x before patch number 23104357
  • VMware Aria Automation 8.12.x before patch number 23104358
  • VMware Aria Automation 8.11.x before patch number 23104361
  • VMware Cloud Foundation (Aria Automation) 5.x, 4.x

Mitigation

VMware has released patches to address the vulnerability.

For more information about the mitigation, please refer to VMware Security Advisory (VMSA-2024-0001).

Qualys Detection

Qualys customers can scan their devices with QID 379262 to detect vulnerable assets. The QID checks for vulnerable versions of VMware Aria Automation by extracting the version from the ‘/opt/vmware/etc/appliance-manifest.xml’ file.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://www.vmware.com/security/advisories/VMSA-2024-0001.html

READ MORE