Security Advisory: VMSA-2024-0001
1. Impacted Products
- VMware Aria Automation (formerly vRealize Automation)
- VMware Cloud Foundation (Aria Automation)
2. Introduction A Missing Access Control vulnerability in Aria Automation has been privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.
3. Aria Automation Missing Access Control Vulnerability (CVE-2023-34063) Description: Aria Automation contains a Missing Access Control vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.9.
Known Attack Vectors: An authenticated malicious actor may exploit this vulnerability, leading to unauthorized access to remote organizations and workflows.
Resolution: To remediate CVE-2023-34063, apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.
Workarounds: None.
Additional Documentation: A supplemental FAQ was created for additional clarification. Please see: FAQ
Notes: None.
Acknowledgements: VMware would like to thank Commonwealth Scientific and Industrial Research Organisation’s (CSIRO) Scientific Computing Platforms team for reporting this issue to us.
Response Matrix:
Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
VMware Aria Automation | 8.16 | Any | CVE-2023-34063 | N/A | N/A | Unaffected | N/A | FAQ |
VMware Aria Automation | 8.14.x | Any | CVE-2023-34063 | 9.9 | Critical | 8.14.1 + Patch | N/A | FAQ |
VMware Aria Automation | 8.13.x | Any | CVE-2023-34063 | 9.9 | Critical | 8.13.1 + Patch | N/A | FAQ |
VMware Aria Automation | 8.12.x | Any | CVE-2023-34063 | 9.9 | Critical | 8.12.2 + Patch | N/A | FAQ |
VMware Aria Automation | 8.11.x | Any | CVE-2023-34063 | 9.9 | Critical | 8.11.2 + Patch | N/A | FAQ |
VMware Cloud Foundation (Aria Automation) | 5.x, 4.x | Any | CVE-2023-34063 | 9.9 | Critical | KB96136 | N/A | FAQ |
4. References
Fixed Version(s) and Release Notes:
- VMware Aria Automation Downloads and Documentation
- VMware Patch Downloads
- VMware Aria Automation Release Notes
Mitre CVE Dictionary Links:
FIRST CVSSv3 Calculator:
5. Change Log 2024-01-16 VMSA-2024-0001
- Initial security advisory.
Source:
https://www.vmware.com/security/advisories/VMSA-2024-0001.html