Addressing CVE-2023-20887, CVE-2023-20888, CVE-2023-20889 in VMware Aria Operations for Networks (formerly vRealize Network Insight) On-Prem installations
Article ID: 312514
Updated On:
Products
Issue/Introduction
Multiple vulnerabilities in Aria Operations for Networks were privately reported to VMware. Patches and updates are available to remediate these vulnerabilities in Aria Operations for Networks (formerly vRealize Network Insight) 6.2 / 6.3 / 6.4 / 6.5.1 / 6.6 / 6.7 / 6.8 / 6.9 / 6.10.
CVE-2023-20887 :
Aria Operations for Networks contains a command injection vulnerability.
CVE-2023-20888 :
Aria Operations for Networks contains an authenticated deserialization vulnerability.
CVE-2023-20889 :
Aria Operations for Networks contains an information disclosure vulnerability.
These vulnerabilities and their impacts on Aria Operations for Networks are documented in the following VMware/Broadcom Security Advisory (VMSA), please review below document before continuing:
https://www.vmware.com/security/advisories/VMSA-2023-0012.html
Environment
VMware vRealize Network Insight 6.2.0
VMware vRealize Network Insight 6.3.0
VMware vRealize Network Insight 6.4.0
VMware vRealize Network Insight 6.5.1
VMware vRealize Network Insight 6.6.0
VMware vRealize Network Insight 6.7.0
VMware vRealize Network Insight 6.8.0
VMware vRealize Network Insight 6.9.0
VMware Aria Operations for Networks 6.10.0
Resolution
To mitigate the vulnerability, VMware highly recommends applying the below patches for Aria Operations for Networks (formerly vRealize Network Insight) versions 6.2 / 6.3 / 6.4 / 6.5.1 / 6.6 / 6.7 / 6.8 / 6.9 / 6.10.
The patch URL mentioned in below for each individual version will take you to Broadcom Portal Main page for the product version.
You would need to login with your credentials to access the URLs.
Search with the Filename mentioned in below table on the respective version URLs.
You will have to Click the checkbox I agree to Terms and Conditions in order for the download URL to be enabled to download the respective version patches from the mentioned URLs in the below tables
Patch for vRealize Network Insight version 6.2.0
| Patch Download / Build Number | Download the Patch here -- build number: 1684162127 |
| File Name | VMware-vRNI.6.2.0.P8.1684162127.patch.bundle |
| Size | 770.94 MB |
| MD5SUM | 3b64f9ac60d60fc2c0c60e72559293e7 |
| SHA1SUM | 3f6e66e9986683e9c69200a9d526036fa06a9977 |
| SHA256SUM | a3fa03463789545623872ede4641719497f5eef2987b8631e6d56d36423a70ea |
Patch for vRealize Network Insight version 6.3.0
| Patch Download / Build Number | Download the Patch here -- build number: 1684163738 |
| File Name | VMware-vRNI.6.3.0.P5.1684163738.patch.bundle |
| Size | 794.35 MB |
| MD5SUM | 7f7efda0e51dcb66fde45f9ec4279a71 |
| SHA1SUM | 8dfd96fb5709b2ca75c4b44b73b37c20b80a5906 |
| SHA256SUM | 5a1c16efb6482a1c922b7fa87819531a4c08a4b44c5c226fbb04bfd9571004f9 |
Patch for vRealize Network Insight version 6.4.0
| Patch Download / Build Number | Download the Patch here -- build number: 1684166601 |
| File Name | VMware-vRNI.6.4.0.P9.1684166601.patch.bundle |
| Size | 871.17 MB |
| MD5SUM | 03ad826e87a20f5faed6246d1709b83a |
| SHA1SUM | f5b92400ea88964fb17ac2fb9490889cb1712726 |
| SHA256SUM | dd2ce136b325f2667ebef5eb11a381a1ff62ea9ddc455d1ba6db3edb66619422 |
Patch for vRealize Network Insight version 6.5.1
| Patch Download / Build Number | Download the Patch here -- build number: 1684151627 |
| File Name | VMware-vRNI.6.5.1.P6.1684151627.patch.bundle |
| Size | 810.31 MB |
| MD5SUM | 696cd7523df53cce886cae08c0576a5b |
| SHA1SUM | 364e460fd3c80d9dac98db1cb58fdbf03d7d2a5d |
| SHA256SUM | e3c99d4d08844d64192a36fd70a1451dec22cc660cab4204260b6420bafbedbe |
Patch for vRealize Network Insight version 6.6.0
| Patch Download / Build Number | Download the Patch here -- build number: 1684154516 |
| File Name | VMware-vRNI.6.6.0.P5.1684154516.patch.bundle |
| Size | 773.44 MB |
| MD5SUM | dd727138aa3066c64ff85c7950c2a8b4 |
| SHA1SUM | 969297e0c69ed52358767328cf355ba27f868c5c |
| SHA256SUM | 7075c544b49ef2587b0de8d1dcb50f0fc5c8b332c89f98f1db175255a90217e0 |
Patch for vRealize Network Insight version 6.7.0
| Patch Download / Build Number | Download the Patch here -- build number: 1684151941 |
| File Name | VMware-vRNI.6.7.0.P5.1684151941.patch.bundle |
| Size | 849.99 MB |
| MD5SUM | b565ff4fe3e6f2c1c9760173f40aaf21 |
| SHA1SUM | 0c459795845cec49cdae6160cbcfffd739497520 |
| SHA256SUM | 3af85020facb582b4197419fcbcec684a1cd3d2d180493867dce46c9ee7f51da |
Patch for vRealize Network Insight version 6.8.0
| Patch Download / Build Number | Download the Patch here -- build number: 1684995353 |
| File Name | VMware-vRNI.6.8.0.P2.1684995353.patch.bundle |
| Size | 1.24 GB |
| MD5SUM | 14f41671b9d65288c0dacd153c3f0c7e |
| SHA1SUM | 6fcd0165a610a25daacbef5bb6fe26557070dd58 |
| SHA256SUM | ba72bbe8f42fefe8a5cf9a3809e6e554a9149f8adb83c699c671e3d7a97fa31d |
Patch for vRealize Network Insight version 6.9.0
| Patch Download / Build Number | Download the Patch here -- build number: 1684998280 |
| File Name | VMware-vRNI.6.9.0.P3.1684998280.patch.bundle |
| Size | 778.76 MB |
| MD5SUM | cc2aea2655df303c94be31d719674543 |
| SHA1SUM | f4847f16bb324928090359d1173935f87f8b2d6a |
| SHA256SUM | c1ffa318de8057e4ad01e54d893317c2a25ef2e74a2a0242b6704c8d4f835f24 |
Patch for Aria Operations for Networks version 6.10.0
| Patch Download / Build Number | Download the Patch here -- build number: 1685358321 |
| File Name | VMware-vRNI.6.10.0.P1.1685358321.patch.bundle |
| Size | 759.77 MB |
| MD5SUM | 8f5cf93cb2830ecf3ff411d729395489 |
| SHA1SUM | 27f3ed0e5b8f9ceaf92ed481643b48d484181b88 |
| SHA256SUM | a652b17bd029edc5b9d044060ec1ef7277ceea545c5f061e02cd5eaaef959ea4 |
Note: Above patches are cumulative of any previous patches for the same version.
Before you download and apply the security patch (s) for your Aria Operations for Network deployment, it is advised to perform clean up using steps mentioned in Broadcom article : https://knowledge.broadcom.com/external/article?legacyId=88977 to avoid issues with patch upgrade failing with Insufficient disk space toast message.
Procedure to apply Aria Operations for Networks patch bundle:
- Download the update patch file and save the file on your local system.
- Log into the GUI as an Administrator user.
Note: The default admin@local account can be used.
3. Navigate to Settings > Install and Support > Overview and Updates, then under Product, select Click here.
4. Click Browse to select the locally downloaded patch file and click Upload.
Notes:
- When the upload is complete, Aria Operations for Networks shows the Bundle Upload Complete message notification within 2-3 minutes and the bundle processing happens in the background.
- Until the upload of the package happens, ensure that the session is not closed. If the session ends, you have to restart the upload process.
- Do not refresh the page after bundle upload, until you see the Update Available message notification.
5. In the Bundle Available message notification, click View details.
Aria Operations for Networks Update screen appears.
- Read the Before you proceed instruction and click Continue.
- Wait for the pre-checks to complete, which verifies:
- the disk space, including the space required for migration
- the version
- the NTP sync status
- the bundle checksum
- Click Install Now.
You can see the approximate time required to complete the update process on your setup.
- Once the update process begins, the Aria Operations for Networks Update screen provides the status of the update process.
Notes:
- If a node becomes inactive, the update process does not continue. The update will not resume until the node becomes active again.
- Once the platforms are updated, you can resume your normal Aria Operations for Networks operations even though the collector update happens in parallel. Until the update process is completely over, the Node Version Mismatch detected the message is shown in the Install and Support page.
- Upon the completion of the update process, you see the below confirmation message.
All platform and the collector nodes are updated.
Feedback
