View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 17, 2024updated 19 Jan 2024 11:07am

VMware fixes critical vulnerability in Aria Automation, urges companies to patch

The missing access control vulnerability has been assessed by VMware as 9.9 out of 10 on the CVSS scale.

By Greg Noone

VMware has identified and patched a missing access control vulnerability in Aria Automation, its operations management platform. Named CVE-2023-34063, the flaw is assessed at 9.9 out of 10 on the Critical severity (CVSS) range. An advisory from VMware warned that malicious actors could exploit the bug to obtain “unauthorized access to remote organisations and workflows” if unpatched. 

“In ITIL terms, this situation qualifies as an emergency change, necessitating prompt action from your organisation,” said the cloud computing software firm in an additional FAQ. “However, the appropriate security response varies depending on specific circumstances. It’s important to consult with your organisation’s information security staff to decide the best course of action tailored to your organisation’s needs.”

A screenshot of the website of VMware, used to illustrate a story about a new vulnerability discovered in its Aria Automation product.
VMware has discovered a vulnerability in its Aria Automation product and described it as 9.9 out of 10 on the CVSS scale used to measure the severity of such bugs. (Photo by Mehaniq/Shutterstock)

Aria Automation vulnerability discovered with help from CSIRO

The flaw impacts VMware’s Aria Automation up to version 8.16, in addition to its Cloud Foundation and VMware vRealize Automation services (its vCenter Server, Aria Automation Cloud and ESXi services, meanwhile, are not affected). The cloud computing software provider has advised all customers using these systems to immediately download the remedial patch included in its initial advisory describing the vulnerability. Additional mitigations may also be possible, the firm continued, “dependent on your security posture, defence-in-depth strategies, and the configurations of perimeter and appliance firewalls.” 

VMware added that it was informed about the flaw by the scientific computing platforms team at Australia’s Commonwealth Scientific and Industrial Research Organisation (CSIRO), adding that it was currently unaware of any exploitation of CVE-2023-34063 by hackers “in the wild.” The announcement follows news of several other critical bugs, including a code execution flaw announced by Atlassian with a CVSS score of 10. That specific bug impacts the software company’s Confluence Data Center and Confluence Server, and has also been patched.

Flaw disclosure follows Broadcom’s takeover victory

The discovery of CVE-2023-34063 constitutes VMware’s first major challenge since its takeover by US chips manufacturer Broadcom last year. The deal eventually saw the cloud company bought for $69bn in November after winning the approval of regulators in the UK, the EU, the US and South Korea. The agreement was briefly thrown into jeopardy the previous month, however, when it was reported that regulators in China were considering blocking the takeover as political retribution for US chip sanctions. Eventually, however, Beijing relented after tensions relaxed with Washington following a summit between the two country’s leaders in Woodside, California.

Read more: VMware to shift to subscription model after $61bn Broadcom takeover

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.