VMware has launched updates for Aria Automation, its multi-cloud infrastructure automation platform for public, non-public and hybrid clouds, to repair a vital vulnerability that would enable authenticated attackers to entry distant organizations and workflows. VMware Cloud Basis, a collection of software-defined providers for establishing non-public clouds, can also be impacted if the merchandise had been deployed utilizing the Aria Suite Lifecycle Supervisor.
VMware describes the vulnerability (CVE-2023-34063) as a “lacking entry management” challenge and charges it with 9.9 out of 10 on the CVSS severity scale. The flaw was privately reported to the corporate and VMware shouldn’t be conscious of any in-the-wild exploitation of the problem presently.
Replace Aria Automation earlier than patching vulnerability
All supported variations of Aria Automation (previously vRealize Automation) are affected. This contains variations 8.11.x, 8.12.x, 8.13.x and eight.14.x. Whereas the corporate has launched particular person patches for every of those releases, it strongly recommends that customers replace the newly launched 8.16 model. Customers of affected VMware Cloud Basis 4.x and 5.x deployments ought to use the VMware Aria Suite Lifecycle Supervisor to improve VMware Aria Automation to the fastened model.
“To use the patch, your system should be operating the newest model of the main launch,” the corporate mentioned in a FAQ doc for the vulnerability. “For instance, in case your system is on Aria Automation 8.12.1, you will need to first replace to eight.12.2 earlier than making use of the patch. After patching, the one supported improve path is to maneuver to model 8.16 or a more recent model.”
No motion wanted for Space Automation Cloud
Aria Automation Cloud shouldn’t be affected as mitigations have already been carried out on the server aspect by VMware which runs the service. VMware vCenter, VMware ESXi and Aria Orchestrator are additionally not affected, however notes that as of model 8.16 entry to Automation Orchestrator is now ruled by separate Orchestrator service roles. The corporate additionally warns that if customers select to improve to intermediate variations, for instance from 8.12.x to eight.13.x as a substitute of upgrading to eight.16, the vulnerability will probably be reintroduced and a brand new spherical of patching will probably be required.
“There could also be different mitigations and compensating controls that might be relevant inside your group, dependent in your security posture, defense-in-depth methods, and the configurations of perimeter and equipment firewalls,” the corporate mentioned. “Every group should assess for themselves whether or not to depend on these protections and tips on how to successfully configure these measures for his or her surroundings.”
