VMware is warning of a critical-severity vulnerability in its infrastructure automation platform, Aria Automation, which if successfully exploited by cybercriminals could allow unauthorized access to remote organizations and workflows.
The issue (CVE-2023-34063) stems from a missing access control in the Aria Automation platform, formerly known as vRealize Automation. All versions of Aria Automation prior to version 8.16 are vulnerable, according to VMware. With a CVSS v3 score of 9.9, the flaw is critical, and VMware is urging impacted customers to update to the fixed version, Aria Automation 8.16, as soon as possible.
“This situation qualifies as an emergency change, necessitating prompt action from your organization,” according to the Tuesday VMware security advisory. “However, the appropriate security response varies depending on specific circumstances. It's important to consult with your organization's information security staff to decide the best course of action tailored to your organization's needs.”
In order to successfully exploit the flaw, an attacker would need to be authenticated. VMware said that it is not currently aware of the flaw being exploited in the wild.
Aria Automation may be included in other software packages, like VMware Cloud Foundation, and VMware recommended updating Cloud Foundation if deployed via the Aria Suite Lifecycle Manager. VMware said that Aria Automation Cloud, ESXi, vCenter Server and Aria Orchestrator are not impacted by this flaw.
While no workarounds exist for the vulnerability, “there may be other mitigations and compensating controls that could be applicable within your organization, dependent on your security posture, defense-in-depth strategies, and the configurations of perimeter and appliance firewalls,” said the security advisory. “Each organization must assess for themselves whether to rely on these protections and how to effectively configure these measures for their environment.”
The Scientific Computing Platforms team with Commonwealth Scientific and Industrial Research Organisation (CSIRO), Australia’s national science agency, was credited with reporting the bug to VMware.
“CVE-2023-34063 affects VMware Aria Automation and VMware Cloud Foundation, both of which have had vulnerabilities that have been exploited in the wild in the past,” said Caitlin Condon, director of Vulnerability Intelligence with Rapid7. “There doesn't appear to be any known exploitation in the wild for the time being, but given that VMware is urging organizations to patch on an urgent basis, we would recommend that security teams heed that advice.”