VMware has launched updates for Aria Automation, its multi-cloud infrastructure automation platform for public, personal and hybrid clouds, to repair a vital vulnerability that might permit authenticated attackers to entry distant organizations and workflows. VMware Cloud Basis, a collection of software-defined providers for establishing personal clouds, can also be impacted if the merchandise had been deployed utilizing the Aria Suite Lifecycle Supervisor.
VMware describes the vulnerability (CVE-2023-34063) as a “lacking entry management” difficulty and charges it with 9.9 out of 10 on the CVSS severity scale. The flaw was privately reported to the corporate and VMware isn’t conscious of any in-the-wild exploitation of the difficulty at the moment.
Replace Aria Automation earlier than patching vulnerability
All supported variations of Aria Automation (previously vRealize Automation) are affected. This consists of variations 8.11.x, 8.12.x, 8.13.x and eight.14.x. Whereas the corporate has launched particular person patches for every of those releases, it strongly recommends that customers replace the newly launched 8.16 model. Customers of affected VMware Cloud Basis 4.x and 5.x deployments ought to use the VMware Aria Suite Lifecycle Supervisor to improve VMware Aria Automation to the fastened model.
“To use the patch, your system have to be operating the most recent model of the most important launch,” the corporate mentioned in a FAQ doc for the vulnerability. “For instance, in case your system is on Aria Automation 8.12.1, you will need to first replace to eight.12.2 earlier than making use of the patch. After patching, the one supported improve path is to maneuver to model 8.16 or a more moderen model.”
No motion wanted for Space Automation Cloud
Aria Automation Cloud isn’t affected as mitigations have already been applied on the server facet by VMware which runs the service. VMware vCenter, VMware ESXi and Aria Orchestrator are additionally not affected, however notes that as of model 8.16 entry to Automation Orchestrator is now ruled by separate Orchestrator service roles. The corporate additionally warns that if customers select to improve to intermediate variations, for instance from 8.12.x to eight.13.x as a substitute of upgrading to eight.16, the vulnerability will likely be reintroduced and a brand new spherical of patching will likely be required.
“There could also be different mitigations and compensating controls that might be relevant inside your group, dependent in your safety posture, defense-in-depth methods, and the configurations of perimeter and equipment firewalls,” the corporate mentioned. “Every group should assess for themselves whether or not to depend on these protections and successfully configure these measures for his or her atmosphere.”