Addressing Security Vulnerabilities CVE-2023-34039 and CVE-2023-20890 in VMware Aria Operations for Networks (Formerly vRealize Network Insight) On-Prem installations
search cancel

Addressing Security Vulnerabilities CVE-2023-34039 and CVE-2023-20890 in VMware Aria Operations for Networks (Formerly vRealize Network Insight) On-Prem installations

book

Article ID: 314427

calendar_today

Updated On:

Products

VMware Aria Operations for Networks VMware Aria Suite

Issue/Introduction

Symptoms:

Multiple vulnerabilities in Aria Operations for Networks were responsibly reported to VMware.

Patches and updates are available to remediate these vulnerabilities in vRNI 6.2.0 / 6.3.0 / 6.4.0 / 6.5.1 / 6.6.0 / 6.7.0 / 6.8.0 / 6.9.0 / 6.10.0

CVE-2023-34039:
Aria Operations for Networks contains an Authentication Bypass Vulnerability

CVE-2023-20898:
Aria Operations for Networks contains an  arbitrary file write vulnerability.

These vulnerabilities and their impacts on Aria Operations for Networks are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:
 

VMSA-2023-0018:VMware Aria Operations for Networks updates address multiple vulnerabilities.

Environment

VMware vRealize Network Insight 6.8.0
VMware vRealize Network Insight 6.3.x
VMware vRealize Network Insight 6.6.0
VMware vRealize Network Insight 6.5.1
VMware vRealize Network Insight 6.9.0
VMware Aria Operations for Networks 6.10.0
VMware vRealize Network Insight 6.2.x
VMware Aria Operations for Networks (formerly vRealize Network Insight) 6.x
VMware vRealize Network Insight 6.4.0
VMware vRealize Network Insight 6.7.0

Resolution

Security Vulnerability are fixed in Aria Operations for Networks version 6.11.0.

To mitigate the vulnerability, VMware highly recommends applying the below patch for Aria Operations for Networks version 6.10.
 

Patch Download / Build Number  Download the Patch here Build number: 1692934256
File Name  VMware-AriaOpNetworks.6.10.0.P4.1692934256.patch.bundle
Size   803.15 MB
MD5SUM d982c28f394368316c244e0bb7e44c3a
SHA1SUM 73d9f0f3b5c3bcff09006fbe5e636fa0f9d16b07
SHA256SUM 2c9b7c962f8830b60666c781fc66599f73cae1444e2c42444a85c978c37ea1f5


Note:

1.  Above patches are cumulative of any previous patches for the same version.

2. Before you download and apply the security patch (s) for your Aria Operations for Network deployment, it is advised to perform clean up using steps mentioned in VMware KB: VMware vRealize Network Insight (vRNI) upgrade fails with Insufficient disk space toast message displayed in vRNI GUI to avoid issues with patch upgrade failing with Insufficient disk space toast message displayed in vRNI GUI


Procedure to apply patch bundle via Aria Operations for Networks GUI:

  1. Download the update patch file and save the file on your local system.
  2. Log into the vRealize Network Insight GUI as an Administrator user.

        Note: The default admin@local account can be used.
     
       3. Navigate to Settings > Install and Support > Overview and Updates, then under Product, select Click here
       4. Click Browse to select the locally downloaded patch file and click Upload.
     
        Notes:

  • When the upload is complete, Aria Operations for Networks shows the Bundle Upload Complete message notification within 2-3 minutes and the bundle processing happens in the background.
  • Until the upload of the package happens, ensure that the session is not closed. If the session ends, you have to restart the upload process.
  • Do not refresh the page after bundle upload, until you see the Update Available message notification.

       5. In the Bundle Available message notification, click View details.
            
            
Aria Operations for Networks Update screen appears.
         

  1. Read the Before you proceed instruction and click Continue.
  2. Wait for the pre-checks to complete, which verifies:
  • the disk space, including the space required for migration
  • the version
  • the NTP sync status
  • the bundle checksum
  1. Click Install Now.

You can see the approximate time required to complete the update process on your setup.

  1. Once the update process begins, the Aria Operations for Networks Update screen provides the status of the update process.

Notes:

  • If a node becomes inactive, the update process does not continue. The update will not resume until the node becomes active again.
  • Once the platforms are updated, you can resume your normal Aria Operations for Networks operations even though the collector update happens in parallel. Until the update process is completely over, the Node Version Mismatch detected the message is shown in the Install and Support page.
  1. Upon the completion of the update process, you see the below confirmation message.

          All platform and the collector nodes are updated.


Procedure to apply patch bundle via vRSLCM / VMware-Aria-Suite-Lifecycle 8.12: GUI:

Refer to below mentioned documentations for the steps for VMware vRSLCM/VMware-Aria-Suite-Lifecycle 8.12 respectively:

1. VMware vRSLCM 8.10 and earlier:
Install a patch for products by using vRealize Suite Lifecycle Manager


2. VMware-Aria-Suite-Lifecycle 8.12:
Install a patch for products by using VMware Aria Suite Lifecycle

Additional Information

Impact/Risks:
Aria Operations for Networks(Formerly vRealize Network Insight) On-Prem versions 6.2 / 6.3 / 6.4 / 6.5.1 / 6.6 / 6.7 / 6.8 / 6.9 / 6.10.