January 17, 2024updated 19 Jan 2024 11:07am

VMware fixes critical vulnerability in Aria Automation, urges companies to patch

The missing access control vulnerability has been assessed by VMware as 9.9 out of 10 on the CVSS scale.

VMware has identified and patched a missing access control vulnerability in Aria Automation, its operations management platform. Named CVE-2023-34063, the flaw is assessed at 9.9 out of 10 on the Critical severity (CVSS) range. An advisory from VMware warned that malicious actors could exploit the bug to obtain “unauthorized access to remote organisations and workflows” if unpatched.

“In ITIL terms, this situation qualifies as an emergency change, necessitating prompt action from your organisation,” said the cloud computing software firm in an additional FAQ. “However, the appropriate security response varies depending on specific circumstances. It’s important to consult with your organisation’s information security staff to decide the best course of action tailored to your organisation’s needs.”

A screenshot of the website of VMware, used to illustrate a story about a new vulnerability discovered in its Aria Automation product. — VMware has discovered a vulnerability in its Aria Automation product and described it as 9.9 out of 10 on the CVSS scale used to measure the severity of such bugs. (Photo by Mehaniq/Shutterstock)

Aria Automation vulnerability discovered with help from CSIRO

The flaw impacts VMware’s Aria Automation up to version 8.16, in addition to its Cloud Foundation and VMware vRealize Automation services (its vCenter Server, Aria Automation Cloud and ESXi services, meanwhile, are not affected). The cloud computing software provider has advised all customers using these systems to immediately download the remedial patch included in its initial advisory describing the vulnerability. Additional mitigations may also be possible, the firm continued, “dependent on your security posture, defence-in-depth strategies, and the configurations of perimeter and appliance firewalls.”

VMware added that it was informed about the flaw by the scientific computing platforms team at Australia’s Commonwealth Scientific and Industrial Research Organisation (CSIRO), adding that it was currently unaware of any exploitation of CVE-2023-34063 by hackers “in the wild.” The announcement follows news of several other critical bugs, including a code execution flaw announced by Atlassian with a CVSS score of 10. That specific bug impacts the software company’s Confluence Data Center and Confluence Server, and has also been patched.

Flaw disclosure follows Broadcom’s takeover victory

The discovery of CVE-2023-34063 constitutes VMware’s first major challenge since its takeover by US chips manufacturer Broadcom last year. The deal eventually saw the cloud company bought for $69bn in November after winning the approval of regulators in the UK, the EU, the US and South Korea. The agreement was briefly thrown into jeopardy the previous month, however, when it was reported that regulators in China were considering blocking the takeover as political retribution for US chip sanctions. Eventually, however, Beijing relented after tensions relaxed with Washington following a summit between the two country’s leaders in Woodside, California.