VMware Response To CVE-2023-34063 (VMSA-2024-0001)
Article ID: 323211
Updated On:
Products
VMware Aria Suite
Issue/Introduction
- CVE-2023-34063 details a missing access control vulnerability that impacts Aria Automation
- VMware's response to this vulnerability is documented in VMSA-2024-0001
- Please ensure that you have reviewed VMSA-2024-001 before proceeding with the instructions in the article.
In response to this, VMware have released updated patches that mitigate the vulnerability documented in VMSA-2024-0001 and also includes a fix for the issue detailed in KB 96181
Resolution
All versions of Aria Automation 8.11.x, 8.12.x, 8.13.x and 8.14.x are impacted by this vulnerability
Customers running versions of Aria Automation that are passed their end of general support date are advised/recommended to upgrade to a supported version and then mitigate this issue as per the information provided in this article
To mitigate the vulnerability, VMware recommends upgrading to Aria Automation 8.16
Alternatively, patches are available for the Aria Automation versions listed below.
In response to the issue documented in KB 96181 , VMware have released updated patches.
The original patches fully mitigate the vulnerability documented in VMSA-2024-0001 , but introduced an issue with custom forms as detailed in KB 96181 .
The later patches fully mitigates the vulnerability and resolve the custom form issue.
To apply the patch, you must be running one of the versions listed above.
If the environment to be patched is running an earlier version, this must firstly be upgraded to one of the listed versions, and then the patch must be installed on that version.
For example
Procedure To Install A Patch
(This documents the process when patching the Automation appliance. Upgrading to Aria Automation 8.16 can be performed using the normal upgrade process)
(Screenshots provided are provided as a guide only. Details, such as versions etc. may differ in the environment to be patched)
Please ensure that you have created a snapshot of the Aria Automation appliance to be patched before proceeding with these steps.
1) Login to Aria Suite Lifecycle (formerly vRealize Suite Lifecycle Manager)
2) Click Lifecycle Operations, navigate to Settings > Binary Mappings.
3) Click Patch Binaries.
4) Click on "CHECK PATCHES ONLINE" to refresh the list of available patches
5) Once complete, filter for the required patch version i.e. 8.11
6) Click on download and wait for the request to complete.
If the patches are not available, or there is no internet connectivity, see the steps below. Otherwise, skip to step 7
e) Download the patch for your version
f) Using WinSCP or similar copy the patch to a location on the Lifecycle Manager
e.g. /data/patches/vra
h) Select "Add Patch Binary", enter the location of the patch on the appliance, click on the appropriate patch and select ADD
i) Wait for the request to complete
7) Go to Environments and select the environment where the Aria Automation appliances to be updated are hosted
8) Select "View Details", click on the 3 dots and navigate to "Install patch"
9) Select the patch from the list of downloaded patches.
10) Click Next
11) Review and Install the available patch.
12) The patch install request progress can be tracked under Requests.
Remove the snapshot once the patch installation has completed
To view the history of patches, click Patches > History.
Click on History
Alternatively, the "vracli version patch" command can be used to validate that the patch is installed.
Note : The Product version and build numbers reported via the Aria Automation GUI will not change after installing any of the patches. Please use the steps below to validate the patch installation
1) Login the the Aria Automation appliance via an ssh session
2) Execute the command below
vracli version patch
3) This will list details any patch installed
4) Details of the patch numbers for each version is shown below
Cumulative Patch Including Fix For KB 96181
Customers running versions of Aria Automation that are passed their end of general support date are advised/recommended to upgrade to a supported version and then mitigate this issue as per the information provided in this article
To mitigate the vulnerability, VMware recommends upgrading to Aria Automation 8.16
Alternatively, patches are available for the Aria Automation versions listed below.
In response to the issue documented in KB 96181 , VMware have released updated patches.
The original patches fully mitigate the vulnerability documented in VMSA-2024-0001 , but introduced an issue with custom forms as detailed in KB 96181 .
The later patches fully mitigates the vulnerability and resolve the custom form issue.
| Aria Automation Version | Original Patch | Patch Including Fix For KB 96181 |
| 8.11.2 | vrlcm-vra-8.11.2-8.11.2.30127.patch | vrlcm-vra-8.11.2-8.11.2.30135.patch |
| 8.12.2 | vrlcm-vra-8.12.2-8.12.2.31368.patch | vrlcm-vra-8.12.2-8.12.2.31375.patch |
| 8.13.1 | vrlcm-vra-8.13.1-8.13.1.32385.patch | vrlcm-vra-8.13.1-8.13.1.32392.patch |
| 8.14.1 | vrlcm-vra-8.14.1-8.14.1.33501.patch | vrlcm-vra-8.14.1-8.14.1.33507.patch |
| 8.16 | No Patch - Fix included in 8.16 GA | vrlcm-vra-8.16.0-8.16.0.33716.patch |
To apply the patch, you must be running one of the versions listed above.
If the environment to be patched is running an earlier version, this must firstly be upgraded to one of the listed versions, and then the patch must be installed on that version.
For example
- The environment is running Automation 8.12
- The environment must be upgraded to 8.12.2
- This may require an upgrade to standalone installation of Aria Orchestrator
- See the VMware Interoperability matrix for details
- The patch is to be installed on 8.12.2
- Then install the patch detailed in the table below
- Patch is to be installed on the Aria Automation appliances only
Aria Automation 8.16 is not impacted by this issue
There is no Aria Automation version 8.15
As documented in the Aria Automation 8.16 release notes, the fix for this issue changes how Aria Automation Orchestrator actions are executed by the form-service api and introduces checks to ensure that the action being executed is part of a catalog or day 2 operation.
As a result of these changes, VMware strongly recommend upgrading to Aria Automation 8.16 to mitigate the issue.
In addition, due to the nature of the changes, the upgrade path post installing one of the patches is Aria Automation 8.16
Updating from a "patched" environment to a version other then Aria Automation 8.16 will re-introduce the vulnerability until the associated patch is installed.
There is no Aria Automation version 8.15
As documented in the Aria Automation 8.16 release notes, the fix for this issue changes how Aria Automation Orchestrator actions are executed by the form-service api and introduces checks to ensure that the action being executed is part of a catalog or day 2 operation.
As a result of these changes, VMware strongly recommend upgrading to Aria Automation 8.16 to mitigate the issue.
In addition, due to the nature of the changes, the upgrade path post installing one of the patches is Aria Automation 8.16
Updating from a "patched" environment to a version other then Aria Automation 8.16 will re-introduce the vulnerability until the associated patch is installed.
| Aria Automation Version |
Recommended Solution | Alternative Solution | Upgrade Path Post Patching |
| 8.11 | Upgrade to Aria Automation 8.16 and install vrlcm-vra-8.16.0-8.16.0.33716.patch | Upgrade to 8.11.2 and install patch | Upgrade to Aria Automation 8.16 and install vrlcm-vra-8.16.0-8.16.0.33716.patch |
| 8.11.1 | Upgrade to Aria Automation 8.16 and install vrlcm-vra-8.16.0-8.16.0.33716.patch | Upgrade to 8.11.2 and install patch | Upgrade to Aria Automation 8.16 and install vrlcm-vra-8.16.0-8.16.0.33716.patch |
| 8.11.2 | Upgrade to Aria Automation 8.16 and install vrlcm-vra-8.16.0-8.16.0.33716.patch | Install Patch on 8.11.2 | Upgrade to Aria Automation 8.16 and install vrlcm-vra-8.16.0-8.16.0.33716.patch |
| 8.12 | Upgrade to Aria Automation 8.16 and install vrlcm-vra-8.16.0-8.16.0.33716.patch | Upgrade to 8.12.2 and install patch | Upgrade to Aria Automation 8.16 and install vrlcm-vra-8.16.0-8.16.0.33716.patch |
| 8.12.1 | Upgrade to Aria Automation 8.16 and install vrlcm-vra-8.16.0-8.16.0.33716.patch | Upgrade to 8.12.2 and install patch | Upgrade to Aria Automation 8.16 and install vrlcm-vra-8.16.0-8.16.0.33716.patch |
| 8.12.2 | Upgrade to Aria Automation 8.16 and install vrlcm-vra-8.16.0-8.16.0.33716.patch | Install Patch on 8.12.2 | Upgrade to Aria Automation 8.16 and install vrlcm-vra-8.16.0-8.16.0.33716.patch |
| 8.13 | Upgrade to Aria Automation 8.16 and install vrlcm-vra-8.16.0-8.16.0.33716.patch | Upgrade to 8.13.1 and install patch | Upgrade to Aria Automation 8.16 and install vrlcm-vra-8.16.0-8.16.0.33716.patch |
| 8.13.1 | Upgrade to Aria Automation 8.16 and install vrlcm-vra-8.16.0-8.16.0.33716.patch | Install Patch on 8.13.1 | Upgrade to Aria Automation 8.16 and install vrlcm-vra-8.16.0-8.16.0.33716.patch |
| 8.14 | Upgrade to Aria Automation 8.16 and install vrlcm-vra-8.16.0-8.16.0.33716.patch | Upgrade to 8.14.1 and install patch | Upgrade to Aria Automation 8.16 and install vrlcm-vra-8.16.0-8.16.0.33716.patch |
| 8.14.1 | Upgrade to Aria Automation 8.16 and install vrlcm-vra-8.16.0-8.16.0.33716.patch | Install Patch on 8.14.1 | Upgrade to Aria Automation 8.16 and install vrlcm-vra-8.16.0-8.16.0.33716.patch |
Note: If one would like to upgrade to VMware Aria Automation 8.16, then VMware Aria Suite Lifecycle 8.14 Product Support Pack 4 must be applied"
Please refer to release notes: VMware Aria Suite Lifecycle 8.14 Product Support Pack Release Notes
The patches are to be installed using Aria Suite Lifecycle and the process is documented here and the required steps are also provided below .
Environments running older version that are end of support are recommended to upgrade to 8.16 or upgrade to a version that has a patch available, and then install the appropriate patch.
Procedure To Upgrade
The upgrade process is documented here
(This documents the process when patching the Automation appliance. Upgrading to Aria Automation 8.16 can be performed using the normal upgrade process)
(Screenshots provided are provided as a guide only. Details, such as versions etc. may differ in the environment to be patched)
Please ensure that you have created a snapshot of the Aria Automation appliance to be patched before proceeding with these steps.
1) Login to Aria Suite Lifecycle (formerly vRealize Suite Lifecycle Manager)
2) Click Lifecycle Operations, navigate to Settings > Binary Mappings.
3) Click Patch Binaries.
4) Click on "CHECK PATCHES ONLINE" to refresh the list of available patches
5) Once complete, filter for the required patch version i.e. 8.11
6) Click on download and wait for the request to complete.
If the patches are not available, or there is no internet connectivity, see the steps below. Otherwise, skip to step 7
a) The patches can also be downloaded and applied manually
b) Go to the "Product Patches" page and login
c) Select "vRealise Suite Lifecycle Manager" as the product and click on search
d) There will be 4 patches with a release date on 2024-01-16
b) Go to the "Product Patches" page and login
c) Select "vRealise Suite Lifecycle Manager" as the product and click on search
d) There will be 4 patches with a release date on 2024-01-16
e) Download the patch for your version
f) Using WinSCP or similar copy the patch to a location on the Lifecycle Manager
e.g. /data/patches/vra
g) Login to Lifecycle Manager and navigate to Settings - Binary Mapping - Patch Binaries
h) Select "Add Patch Binary", enter the location of the patch on the appliance, click on the appropriate patch and select ADD
i) Wait for the request to complete
7) Go to Environments and select the environment where the Aria Automation appliances to be updated are hosted
8) Select "View Details", click on the 3 dots and navigate to "Install patch"
9) Select the patch from the list of downloaded patches.
10) Click Next
11) Review and Install the available patch.
12) The patch install request progress can be tracked under Requests.
Remove the snapshot once the patch installation has completed
To view the history of patches, click Patches > History.
Click on History
Alternatively, the "vracli version patch" command can be used to validate that the patch is installed.
Note : The Product version and build numbers reported via the Aria Automation GUI will not change after installing any of the patches. Please use the steps below to validate the patch installation
1) Login the the Aria Automation appliance via an ssh session
2) Execute the command below
vracli version patch
3) This will list details any patch installed
4) Details of the patch numbers for each version is shown below
Original Patch
| Aria Automation Version | Reported Patch Number |
| 8.11.2 | 23104361 |
| 8.12.2 | 23104358 |
| 8.13.1 | 23104357 |
| 8.14.1 | 23104270 |
Cumulative Patch Including Fix For KB 96181
| Aria Automation Version | Reported Patch Numbers |
| 8.11.2 | 23104361 23191939 |
| 8.12.2 | 23104358 23191130 |
| 8.13.1 | 23104357 23191129 |
| 8.14.1 | 23104270 23192207 |
| 8.16 | 23208597 |
Note
The Aria Automation 8.16 release notes document a known issue that can impact environments post upgrade. This issue can also impacted older version after installing one of the patches above.
Please see KB 96181 for details.
The Aria Automation 8.16 release notes document a known issue that can impact environments post upgrade. This issue can also impacted older version after installing one of the patches above.
Please see KB 96181 for details.
Feedback
Yes
No
Powered by
