VMSA-2024-0001:VMware Aria Automation (formerly vRealize Automation) updates address a Missing Access Control vulnerability
23680
14 January 2024
14 January 2024
CLOSED
CRITICAL
9.9
CVE-2023-34063
1. Impacted Products
- VMware Aria Automation (formerly vRealize Automation)
- VMware Cloud Foundation (Aria Automation)
2. Introduction
A Missing Access Control vulnerability in Aria Automation was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.
3. Aria Automation Missing Access Control Vulnerability (CVE-2023-34063)
Description
Aria Automation contains a Missing Access Control vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.9.
Known Attack Vectors
An authenticated malicious actor may exploit this vulnerability leading to unauthorized access to remote organizations and workflows.
Resolution
To remediate CVE-2023-34063 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
None.
Additional Documentation
A supplemental FAQ was created for additional clarification. Please see: https://via.vmw.com/vmsa-2024-0001-qna
Notes
None.
Acknowledgements
VMware would like to thank Commonwealth Scientific and Industrial Research Organisation’s (CSIRO) Scientific Computing Platforms team for reporting this issue to us.
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| VMware Aria Automation | 8.16 | Any | CVE-2023-34063 | N/A | N/A | Unaffected | N/A | |
| VMware Aria Automation | 8.14.x | Any | CVE-2023-34063 | critical | N/A | |||
| VMware Aria Automation | 8.13.x | Any | CVE-2023-34063 | critical | N/A | |||
| VMware Aria Automation | 8.12.x | Any | CVE-2023-34063 | critical | N/A | |||
| VMware Aria Automation | 8.11.x | Any | CVE-2023-34063 | critical | N/A | |||
| VMware Cloud Foundation (Aria Automation) | 5.x, 4.x | Any | CVE-2023-34063 | critical | N/A |
4. References
Fixed Version(s) and Release Notes:
Downloads and Documentation:
https://customerconnect.vmware.com/patch
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34063
FIRST CVSSv3 Calculator:
CVE-2023-34063: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
5. Change Log
2024-01-16 VMSA-2024-0001
Initial security advisory.
6. Contact
E-mail: [email protected]
PGP key at:
https://kb.vmware.com/kb/1055
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Twitter
https://twitter.com/VMwareSRC
Copyright 2024 Broadcom. All rights reserved.