A critical vulnerability (CVE-2023-34063) affecting VMware Aria Automation and VMware Cloud Foundation can be exploited by attackers to gain access to remote organizations and workflows, VMware has warned.
The company is not aware of any “in the wild” exploitation of this flaw – for now. Patches are available and VMware recommends upgrading to VMware Aria Automation 8.16.
“This situation qualifies as an emergency change, necessitating prompt action from your organization,” they added.
About CVE-2023-34063
VMware Aria Automation (formerly vRealize Automation) is a multi-cloud infrastructure automation platform, and is included in the VMware Cloud Foundation hybrid cloud platform.
CVE-2023-34063, a missing access control vulnerability, was privately reported by the the Scientific Computing Platforms team of CSIRO, the Australian government agency for scientific research. To exploit it, attackers must have low privileges (must be authenticated), but can trigger the flaw without any user interaction.
It affects all Aria Automation versions prior to v8.16 and VMware Cloud Foundation versions 5.x and 4.x.
It does not affect VMware vCenter Server, VMware ESXi, Aria Orchestrator, or Aria Automation Cloud.
What to do?
“To apply the patch, your system must be running the latest version of the major release. For example, if your system is on Aria Automation 8.12.1, you must first update to 8.12.2 before applying the patch,” the company explained.
“If you choose a different version instead of upgrading to version 8.16, it is important to note that the only supported upgrade path after applying the patch is to version 8.16. VMware strongly recommends this version. If you upgrade to an intermediate version, the vulnerability will be reintroduced, requiring an additional round of patching.”
There are no workarounds available, but VMware says that depending on their security posture, defense-in-depth strategies, and the configurations of perimeter and appliance firewalls, organizations might implement some mitigations and compensating controls.