Qualys Security Advisory
The Commonwealth Scientific and Industrial Research Organization’s (CSIRO) Scientific Computing Platforms team discovered an access control vulnerability impacting VMware Aria Automation. CVE-2023-34063 has a critical severity rating with a CVSS score of 9.9. The vulnerability may allow an authenticated malicious actor to get unauthorized access to remote organizations and workflows. An authenticated attacker may exploit the vulnerability in a low-complexity attack over the network.
VMware Aria Automation (formerly vRealize Automation) is a multi-cloud infrastructure automation platform that enhances cloud experience. The platform provides a secure, self-service multi-cloud with governance and resource lifecycle management across VMware and public clouds.
- VMware Aria Automation 8.14.x before patch number 23104270
- VMware Aria Automation 8.13.x before patch number 23104357
- VMware Aria Automation 8.12.x before patch number 23104358
- VMware Aria Automation 8.11.x before patch number 23104361
- VMware Cloud Foundation (Aria Automation) 5.x, 4.x
VMware has released patches to address the vulnerability.
For more information about the mitigation, please refer to VMware Security Advisory (VMSA-2024-0001).
Qualys customers can scan their devices with QID 379262 to detect vulnerable assets. The QID checks for vulnerable versions of VMware Aria Automation by extracting the version from the ‘/opt/vmware/etc/appliance-manifest.xml’ file.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.