1. Summary
| Vulnerability Name |
VMware Aria Automation Missing Access Control Vulnerability (CVE-2023-34063) |
|---|---|
| Release Date |
January 17, 2024 |
| Component Name |
VMware Aria Automation |
| Affected Versions |
VMware Aria Automation 8.14.x |
| Vulnerability Type |
Missing Access Control |
| Severity |
CVSS v3 Base Score: 9.9 (Critical) |
| Exploitability |
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None |
| Impact |
Confidentiality Impact: Low Integrity Impact: High Availability Impact: High |
2. About CVE-2023-34063
2.1 About the Component
VMware Aria Automation (formerly vRealize Automation) is a multi-cloud infrastructure automation platform with event-driven state management and compliance. It helps organizations with controlling and securing self-service clouds, multi-cloud automation with governance and DevOps-based infrastructure delivery.
2.2 About the Vulnerability
On January 17, 2024, Sangfor FarSight Labs received notification of a missing access control vulnerability (CVE-2023-34063) in VMware Aria Automation, classified as critical (CVSS Score 9.9) by VMware.
This vulnerability is caused by improper server-side access control checks when accessing a function. Attackers can exploit this vulnerability by crafting malicious data to gain unauthorized access to remote organizations and workflows, thereby executing unauthorized sensitive operations.
3. Affected Versions
VMware Aria Automation 8.14.x
VMware Aria Automation 8.13.x
VMware Aria Automation 8.12.x
VMware Aria Automation 8.11.x
VMware Cloud Foundation (Aria Automation) 5.x
VMware Cloud Foundation (Aria Automation) 4.x
4. Solutions
4.1 Remediation Solutions
4.1.1 Official Solution
VMware has released patches for affected versions of Aria Automation and Cloud Foundation, and affected users are strongly recommended to install the relevant patch or upgrade to Aria Automation 8.16 to fix the vulnerability. For more information, visit https://www.vmware.com/security/advisories/VMSA-2024-0001.html.
5. Timeline
On January 17, 2024, Sangfor FarSight Labs received notification of a VMware Aria Automation missing access control vulnerability (CVE-2023-34063).
On January 17, 2024, Sangfor FarSight Labs released a vulnerability alert.
6. References
https://www.vmware.com/security/advisories/VMSA-2024-0001.html
https://nvd.nist.gov/vuln/detail/CVE-2023-34063
7. About Sangfor FarSight Labs
Sangfor FarSight Labs researches the latest cyberthreats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyberthreats, providing fast and easy protection for customers.
