Security Advisory: VMSA-2024-0001

1. Impacted Products

  • VMware Aria Automation (formerly vRealize Automation)
  • VMware Cloud Foundation (Aria Automation)

2. Introduction A Missing Access Control vulnerability in Aria Automation has been privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.

3. Aria Automation Missing Access Control Vulnerability (CVE-2023-34063) Description: Aria Automation contains a Missing Access Control vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.9.

Known Attack Vectors: An authenticated malicious actor may exploit this vulnerability, leading to unauthorized access to remote organizations and workflows.

Resolution: To remediate CVE-2023-34063, apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds: None.

Additional Documentation: A supplemental FAQ was created for additional clarification. Please see: FAQ

Notes: None.

Acknowledgements: VMware would like to thank Commonwealth Scientific and Industrial Research Organisation’s (CSIRO) Scientific Computing Platforms team for reporting this issue to us.

Response Matrix:

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
VMware Aria Automation8.16AnyCVE-2023-34063N/AN/AUnaffectedN/AFAQ
VMware Aria Automation8.14.xAnyCVE-2023-340639.9Critical 8.14.1 + PatchN/AFAQ
VMware Aria Automation8.13.xAnyCVE-2023-340639.9Critical 8.13.1 + PatchN/AFAQ
VMware Aria Automation8.12.xAnyCVE-2023-340639.9Critical 8.12.2 + PatchN/AFAQ
VMware Aria Automation8.11.xAnyCVE-2023-340639.9Critical 8.11.2 + PatchN/AFAQ
VMware Cloud Foundation (Aria Automation)5.x, 4.xAnyCVE-2023-340639.9Critical KB96136N/AFAQ

4. References

Fixed Version(s) and Release Notes:

Mitre CVE Dictionary Links:

FIRST CVSSv3 Calculator:

5. Change Log 2024-01-16 VMSA-2024-0001

  • Initial security advisory.