VMware Response to CVE-2024-22280 (VMSA-2024-0017)
search cancel

VMware Response to CVE-2024-22280 (VMSA-2024-0017)

book

Article ID: 325790

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

  • VMware Aria Automation does not apply correct input validation which allows for SQL-injection in the 
    product. VMware has evaluated the severity of this issue to be in the important severity range with a 
    maximum CVSSv3 base score of 8.5.

Environment

  • VMware Aria Automation 8.13 - 8.16.2

Resolution

Prerequisites

Procedure

Resolution

This issue is resolved in versions 8.17.0 and above. For previous versions see the below available patches:

Aria Automation Version (/w download link requires login) Patch
8.13.0 vrlcm-vra-8.13.0-8.13.0.31771.patch
8.13.1 vrlcm-vra-8.13.1-8.13.1.32402.patch
8.14.0 vrlcm-vra-8.14.0-8.14.0.33093.patch
8.14.1 vrlcm-vra-8.14.1-8.14.1.33514.patch
8.16.0 vrlcm-vra-8.16.0-8.16.0.33723.patch
8.16.1 vrlcm-vra-8.16.1-8.16.1.34318.patch
8.16.2 vrlcm-vra-8.16.2-8.16.2.34729.patch

To apply the patch, you must be running one of the versions listed above.

Aria Automation 8.17 and above is not impacted by this issue
There is no Aria Automation version 8.15.

Procedure To Upgrade

  • The upgrade process is documented here.

Procedure To Install a Patch

  • This documents the process when patching the Automation appliance.
  • Upgrading to Aria Automation 8.17 can be performed using the normal upgrade process.

Please ensure that you have created a snapshot of the Aria Automation cluster of appliance(s) to be patched per the Prerequisites section of this article before proceeding with the next steps.

  1. Login to Aria Suite Lifecycle (formerly vRealize Suite Lifecycle Manager)
  2. Click Lifecycle Operations, navigate to Settings > Binary Mapping
  3. Click Patch Binaries.
  4. Download the patches for an offline installation. The patch must be downloaded and applied manually. 
    1. Follow the instructions outlined in Downloading patches, PSPAKs, and hotfixes from Broadcom Support Portal for Aria Suite products.
    2. Download the patch for your version according to the chart in this article.
    3. Using WinSCP or a similar tool, copy the patch to a location on the Aria Suite Lifecycle appliance.
      e.g. /data/patches/vra
    4. Login to Aria Suite Lifecycle and navigate to Settings > Binary Mapping > Patch Binaries.
    5. Select Add Patch Binary, enter the location of the patch on the appliance, click on the appropriate patch and select ADD.
    6. Wait for the request to complete.
    7. Go to Environments and select the environment where the Aria Automation cluster to be updated are hosted.
    8. Select View Details, click on the 3 dots and navigate to Install patch.
    9. Select the patch from the list of downloaded patches.
    10. Click Next.
    11. Review and Install the available patch.
    12. The patch install request progress can be tracked under Requests.
      Note: Remove the snapshot once the patch installation has successfully completed and have verified you can access Aria Automation without errors. 

Review Installed Patch History:

  1. To view the history of patches, click Patches > History.
  2. Click on History.
    Note: Alternatively, the vracli version patch command may be used to validate that the patch is installed.
    Note: The product version and build numbers reported via the Aria Automation GUI will not change after installing any patches. Please use the steps below to validate the patch installation.
    1. Login to one of the Aria Automation appliances via an SSH session.
    2. Run the following command:
      vracli version patch
    3. Verify the patch installed is in the list.