Cybersecurity

VMware fixed a critical flaw in Aria Automation. Patch it now!

VMware fixed a critical flaw in Aria Automation. Patch it now!

Pierluigi Paganini
January 16, 2024

VMware warns customers of a critical vulnerability impacting its Aria Automation multi-cloud infrastructure automation platform.

VMware Aria Automation (formerly vRealize Automation) is a modern cloud automation platform that simplifies and streamlines the deployment, management, and governance of cloud infrastructure and applications. It provides a unified platform for automating tasks across multiple cloud environments, including VMware Cloud on AWS, VMware Cloud on Azure, and VMware Cloud Foundation.

VMware addressed a critical vulnerability, tracked as CVE-2023-34063 (CVSS score 9.9), that impacted its Aria Automation platform.

The issue is a missing access control vulnerability that can be exploited by an authenticated attacker actor to gain unauthorized access to remote organizations and workflows.

“Aria Automation contains a Missing Access Control vulnerability.” reads the advisory. “An authenticated malicious actor may exploit this vulnerability leading to unauthorized access to remote organizations and workflows.”

The vulnerability was discovered by Commonwealth Scientific and Industrial Research Organisation’s (CSIRO) Scientific Computing Platforms team.

The vulnerability CVE-2023-34063 affects versions before 8.16 and Cloud Foundation.

VMware strongly recommends customers update their installs to platform version 8.16.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, VMware)