VMSA-2024-0001


Critical


VMSA-2024-0001

9.9

2024-01-16

2024-01-16 (Initial Advisory)

CVE-2023-34063

VMware Aria Automation (formerly vRealize Automation) updates address a Missing Access Control vulnerability (CVE-2023-34063)

1. Impacted Products

  • VMware Aria Automation (formerly vRealize Automation)
  • VMware Cloud Foundation (Aria Automation)

2. Introduction

A Missing Access Control vulnerability in Aria Automation was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.

3. Aria Automation Missing Access Control Vulnerability (CVE-2023-34063)

Description

Aria Automation contains a Missing Access Control vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.9.

Known Attack Vectors

An authenticated malicious actor may exploit this vulnerability leading to unauthorized access to remote organizations and workflows.

Resolution

To remediate CVE-2023-34063 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds

None.  

Additional Documentation

A supplemental FAQ was created for additional clarification. Please see:

Notes

None.

Acknowledgements

VMware would like to thank Commonwealth Scientific and Industrial Research Organisation’s (CSIRO) Scientific Computing Platforms team for reporting this issue to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
VMware Aria Automation
8.16
Any
CVE-2023-34063
N/A
N/A

Unaffected
N/A

FAQ
VMware Aria Automation
8.14.x
Any
CVE-2023-34063

9.9
critical


8.14.1 + Patch
N/A

FAQ
VMware Aria Automation
8.13.x
Any
CVE-2023-34063

9.9
critical


8.13.1 + Patch
N/A

FAQ
VMware Aria Automation
8.12.x
Any
CVE-2023-34063

9.9
critical


8.12.2 + Patch
N/A

FAQ
VMware Aria Automation
8.11.x
Any
CVE-2023-34063

9.9
critical


8.11.2 + Patch
N/A

FAQ
VMware Cloud Foundation (Aria Automation)
5.x, 4.x
Any
CVE-2023-34063

9.9
critical


KB96136
N/A

FAQ

4. References

Fixed Version(s) and Release Notes:

Downloads and Documentation:

Mitre CVE Dictionary Links:

FIRST CVSSv3 Calculator:

CVE-2023-34063:

5. Change Log

2024-01-16 VMSA-2024-0001

Initial security advisory.  

6. Contact

E-mail: security@vmware.com

PGP key at:

VMware Security Advisories

VMware Security Response Policy

VMware Lifecycle Support Phases

VMware Security & Compliance Blog  

Twitter

 

Copyright 2024 Broadcom. All rights reserved.
 



Tags:

Related News

Cisa publishes three reviews of industrial control systemsCisa publishes three reviews of industrial control systems

Cisa publishes three reviews of industrial control systems

April 29, 2025
Vulnerability in SAP Netweaver Visual Composer could allow the execution of remote codeVulnerability in SAP Netweaver Visual Composer could allow the execution of remote code

Vulnerability in SAP Netweaver Visual Composer could allow the execution of remote code

April 25, 2025

You may have missed

Cisa publishes three reviews of industrial control systemsCisa publishes three reviews of industrial control systems

Cisa publishes three reviews of industrial control systems

April 29, 2025
Vulnerability in SAP Netweaver Visual Composer could allow the execution of remote codeVulnerability in SAP Netweaver Visual Composer could allow the execution of remote code

Vulnerability in SAP Netweaver Visual Composer could allow the execution of remote code

April 25, 2025
Cisa adds three exploited vulnerabilities known in the catalogCisa adds three exploited vulnerabilities known in the catalog

Cisa adds three exploited vulnerabilities known in the catalog

April 17, 2025
Fortinet publishes an opinion on the new post-exploitation technique for known vulnerabilitiesFortinet publishes an opinion on the new post-exploitation technique for known vulnerabilities

Fortinet publishes an opinion on the new post-exploitation technique for known vulnerabilities

April 11, 2025
Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code ExecutionMultiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution

Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution

April 8, 2025
Fast Flux: A National Security ThreatFast Flux: A National Security Threat

Fast Flux: A National Security Threat

April 1, 2025