VMware Aria Automation 8.16.2 through 8.18.0 updates for potential impact from CVE-2024-6387

search cancel

VMware Aria Automation 8.16.2 through 8.18.0 updates for potential impact from CVE-2024-6387

book

Article ID: 372561

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

VMware Aria Automation 8.16.2 through 8.18.0 are potentially impacted (ships with vulnerable versions of OpenSSH, but are 64-bit) to the issue reported in CVE-2024-6387.

Environment

VMware Aria Automation 8.16.2
VMware Aria Automation 8.17
VMware Aria Automation 8.18.0
VMware Aria Automation Orchestrator 8.16.2 - 8.18.0

Cause

See https://nvd.nist.gov/vuln/detail/CVE-2024-6387 and Broadcom VMware Cloud Foundation Division response to CVE-2024-6387 - OpenSSH signal handler race condition vulnerability for additional information.

Resolution

Preferred solution

Please upgrade Aria Automation to at least version 8.18.1
CVE-2024-6387 is resolved in OpenSSH version 8.9p1-8.ph4 or later, which is provided from Aria automation 8.18.1 onwards

Manual workaround

Note: This CVE-2024-6387 has been fixed in Aria automation 8.18.1 as the version of OpenSSH has been updated in this release.
Manually updating RPM packages on VMware appliances is not recommended without supervision from Broadcom support.

Prerequisites

Ensure you have valid snapshots or backups of the Aria Automation appliance(s).

Procedure

Download the following packages from the Photon OS 4 Package Repository:
- openssh-clients
- openssh-server
- openssh
Copy each file to each appliance in the cluster to the same folder such as /tmp.
SSH into each appliance and run the following commands. Perform these steps once for each node:

1. cd PathToRPMs
2. Install the packages using the rpm command. For example for version 8.9p1-10:
  1. rpm -U --nodeps openssh-clients-8.9p1-10.ph4.x86_64.rpm openssh-server-8.9p1-10.ph4.x86_64.rpm openssh-8.9p1-10.ph4.x86_64.rpm
3. systemctl daemon-reload

Verification

Run the following command to confirm the package version:
- rpm -qa | grep openssh
Minimum fixed versions reported:
- openssh-clients-8.9p1-8.ph4.x86_64
  openssh-server-8.9p1-8.ph4.x86_64
  openssh-8.9p1-8.ph4.x86_64
Any later package version within the openssh-8.x family will not be impacted

Feedback

thumb_up Yes

thumb_down No