• VMware Aria Automation 8.16.2 through 8.18 are potentially impacted (ships with vulnerable versions of OpenSSH, but are 64-bit) to the issue reported in CVE-2024-6387. 

• VMware Aria Automation 8.16.2
• VMware Aria Automation 8.17
• VMware Aria Automation 8.18
• VMware Aria Automation Orchestrator 8.x

• See https://nvd.nist.gov/vuln/detail/CVE-2024-6387 and Broadcom VMware Cloud Foundation Division response to CVE-2024-6387 - OpenSSH signal handler race condition vulnerability for additional information.

Prerequisites

• Ensure you have valid snapshots or backups of the Aria Automation appliance(s).

Procedure

1. Download the following packages:
   • https://packages.vmware.com/photon/4.0/photon_updates_4.0_x86_64/x86_64/openssh-server-8.9p1-8.ph4.x86_64.rpm
     SHA256SUM: d5deef6ce92f318a04a1d6b7b99db865027659b36d3ace43c117abf8fecbdac6
   • https://packages.vmware.com/photon/4.0/photon_updates_4.0_x86_64/x86_64/openssh-8.9p1-8.ph4.x86_64.rpm
     SHA256SUM: a263bd14cac9e2c76e74f709b5b1431c379806b3821dcb55867c2fedb36d2dd9
   • https://packages.vmware.com/photon/4.0/photon_updates_4.0_x86_64/x86_64/openssh-clients-8.9p1-8.ph4.x86_64.rpm
     SHA256SUM: e3079da5838b329717913d654e68a015639773c5639ffa7ac39646d4af27e10c
2. Copy each file to each appliance in the cluster to the same folder such as /tmp.
3. SSH into each appliance and run the following commands. Perform these steps once for each node:

• 1. cd PathToRPMs
  2. rpm -U --nodeps openssh-clients-8.9p1-8.ph4.x86_64.rpm openssh-server-8.9p1-8.ph4.x86_64.rpm openssh-8.9p1-8.ph4.x86_64.rpm
  3. systemctl daemon-reload

Verification

1. Run the following command to review the updated package:

rpm -qa | grep openssh

Expected Results:

openssh-clients-8.9p1-8.ph4.x86_64
openssh-server-8.9p1-8.ph4.x86_64
openssh-8.9p1-8.ph4.x86_64