Symptoms:
Multiple vulnerabilities in Aria Operations for Networks were responsibly reported to VMware.
Patches and updates are available to remediate these vulnerabilities in vRNI 6.2.0 / 6.3.0 / 6.4.0 / 6.5.1 / 6.6.0 / 6.7.0 / 6.8.0 / 6.9.0 / 6.10.0
CVE-2023-34039:
Aria Operations for Networks contains an Authentication Bypass Vulnerability
CVE-2023-20898:
Aria Operations for Networks contains an arbitrary file write vulnerability.
These vulnerabilities and their impacts on Aria Operations for Networks are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:
VMSA-2023-0018:VMware Aria Operations for Networks updates address multiple vulnerabilities.
VMware vRealize Network Insight 6.8.0
VMware vRealize Network Insight 6.3.x
VMware vRealize Network Insight 6.6.0
VMware vRealize Network Insight 6.5.1
VMware vRealize Network Insight 6.9.0
VMware Aria Operations for Networks 6.10.0
VMware vRealize Network Insight 6.2.x
VMware Aria Operations for Networks (formerly vRealize Network Insight) 6.x
VMware vRealize Network Insight 6.4.0
VMware vRealize Network Insight 6.7.0
Security Vulnerability are fixed in Aria Operations for Networks version 6.11.0.
To mitigate the vulnerability, VMware highly recommends applying the below patch for Aria Operations for Networks version 6.10.
Patch Download / Build Number | Download the Patch here Build number: 1692934256 |
File Name | VMware-AriaOpNetworks.6.10.0.P4.1692934256.patch.bundle |
Size | 803.15 MB |
MD5SUM | d982c28f394368316c244e0bb7e44c3a |
SHA1SUM | 73d9f0f3b5c3bcff09006fbe5e636fa0f9d16b07 |
SHA256SUM | 2c9b7c962f8830b60666c781fc66599f73cae1444e2c42444a85c978c37ea1f5 |
Note:
1. Above patches are cumulative of any previous patches for the same version.
2. Before you download and apply the security patch (s) for your Aria Operations for Network deployment, it is advised to perform clean up using steps mentioned in VMware KB: VMware vRealize Network Insight (vRNI) upgrade fails with Insufficient disk space toast message displayed in vRNI GUI to avoid issues with patch upgrade failing with Insufficient disk space toast message displayed in vRNI GUI.
Procedure to apply patch bundle via Aria Operations for Networks GUI:
Note: The default admin@local account can be used.
3. Navigate to Settings > Install and Support > Overview and Updates, then under Product, select Click here.
4. Click Browse to select the locally downloaded patch file and click Upload.
Notes:
5. In the Bundle Available message notification, click View details.
Aria Operations for Networks Update screen appears.
You can see the approximate time required to complete the update process on your setup.
Notes:
All platform and the collector nodes are updated.
Procedure to apply patch bundle via vRSLCM / VMware-Aria-Suite-Lifecycle 8.12: GUI:
Refer to below mentioned documentations for the steps for VMware vRSLCM/VMware-Aria-Suite-Lifecycle 8.12 respectively:
1. VMware vRSLCM 8.10 and earlier:
Install a patch for products by using vRealize Suite Lifecycle Manager
2. VMware-Aria-Suite-Lifecycle 8.12:
Install a patch for products by using VMware Aria Suite Lifecycle