Notifications

Loading…

Critical Vulnerability in VMware Aria Automation Enables Privilege Escalation

VMware Aria Automation

VMware has disclosed a high severity vulnerability in its Aria Automation that could allow attackers to escalate privileges and impact the availability of systems managed by the Aria Automation platform. Attackers would need an existing user account on the vulnerable instance, but could then potentially gain administrative access.

The vulnerability, tracked as CVE-2023-34063, has been given a severity score of 9.9 out of 10 on the CVSS scale, and impacts all versions of Aria Automation, formerly known as VMware vRealize Automation, prior to version 8.16. It allows authenticated attackers with low-level access to a vulnerable Aria Automation instance to gain elevated permissions. This could lead to further compromise of systems managed by Aria Automation.

Currently, VMware is unaware of any active exploitation. However, the detailed technical information now publicly available on the vulnerability could increase the risk of attacks. Organizations using affected Aria Automation versions should treat patching as an emergency priority.

The vulnerability specifically affects the Aria Automation product. It does not impact Aria Orchestrator, VMware vCenter Server, or VMware ESXi hypervisors.

However, VMware Cloud Foundation deployments are affected if Aria Automation is installed via the Aria Suite Lifecycle Manager (formerly vRealize Lifecycle Manager).

All versions prior to Aria Automation 8.16 are affected. VMware has released patches that address the issue for versions 8.12.2, 8.13.1, 8.14.1, and 8.15.1.

Mitigations and Patching Guidance

VMware strongly recommends upgrading to Aria Automation version 8.16 to fully address this vulnerability.

For earlier versions that are still supported, customers should apply the appropriate patch before upgrading to 8.16. Per VMware's advisory, after patching only version 8.16 is supported as an upgrade path.

The patches require first updating to the latest patch release of your current version. For example, if on 8.12.1, you must upgrade to 8.12.2 before the patch can be applied.

Read Also
Post a Comment