Aria Automation Users With Restricted Roles Encounter Validation Errors While Submitting Service Broker Requests After Addressing SQL-injection Vulnerability (CVE-2024-22280)
search cancel

Aria Automation Users With Restricted Roles Encounter Validation Errors While Submitting Service Broker Requests After Addressing SQL-injection Vulnerability (CVE-2024-22280)

book

Article ID: 373745

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

  • This article addresses an issue encountered after applying the security patch for CVE-2024-22280 in Aria Automation
  • Users with restricted Service Broker roles are experiencing validation errors when submitting requests for catalog items that utilize custom forms with external actions or workflows

 

  • Sample Form Error for Cloud Template in Service Broker Catalogue:
    • Action execution not allowed.; Some data cannot be retrieved. If the problem persists, contact your system administrator. Failed request: xxx.as.xaasprovisioning.presentation/get_xxx_xxx_ic_vmtype_properties.; [45][vCPU.valueList][xxx.as.xaasprovisioning.presentation/get_xxx_xxx_ic_vmtype_properties] Cannot execute external actions due to validation errors [Requested value 'General' is different from the expected one: ''. Change the requested value to match the constant value.;Requested value 'General' is different from the expected one: ''. Change the requested value to match the constant value.;Requested value 'General' is different from the expected one: ''. Change the requested value to match the constant value.;Requested value 'General' is different from the expected one: ''. Change the requested value to match the constant value.;Requested value 'General' is different from the expected one: ''. Change the requested value to match the constant value.;Requested value 'General' is different from the expected one: ''. Change the requested value to match the constant value.]; [46][cpuGen.valueList][xxx.as.xaasprovisioning.presentation/get_xxx_xxx_ic_vmtype_properties] The request did not return a response.; (less)

  • Sample Form Error for Orchestrator Content in Service Broker Catalogue:
    • Action execution not allowed.: Cannot execute external actions due to validation errors [Requested parameter with name: 'priority Groups' should have value.; Requested parameter with name: 'ItmPoolMember" should have value.];...

Environment

  • Aria Automation 8.x

Cause

  • The root cause of the issue lies in changes made to the custom form validation logic as part of the CVE-2024-22280 remediation. While the security patch addressed the vulnerability, it introduced unintended consequences for users with restricted roles
  • Specifically, the updated validation logic now requires additional fields to be populated, even if they are conditionally displayed based on user input. This discrepancy between conditional visibility and mandatory validation prevents successful form submission for users with limited privileges

Resolution

  • This is a known issue and next patch release under 8.18 will have this fix included

 

Workaround:

  • Identify the following fields in your custom form:
    • ltmPoolMember_Norwest
    • portNumbers_Norwest
    • priorityGroups_Norwest
    • ltmPoolMember_Burwood
    • portNumbers_Burwood
    • priorityGroups_Burwood
    • ltmPoolMember_SingleDC
    • portNumbers_SingleDC
    • priorityGroups_SingleDC
  • Access the custom form configuration and locate the "required" constraint for each listed field
  • Copy the conditional or external value expression from the "visible" property of the field and paste it into the "required" constraint
    • Example:
      • Original Configuration (Issue):
        • visible: [{
        •   "value":true,
        •   "equals":{
        •     "<field_id>": "<some_value>"
        •   }
        • }]
        • required: [{  // This might be empty
        •   "value":true
        • }]
      • Corrected Configuration (Workaround):
        • visible: [{
        •   "value":true,
        •   "equals":{
        •     "<field_id>": "<some_value>"
        •   }
        • }]
        • required: [{
        •   "value":true,
        •   "equals":{
        •     "<field_id>": "<some_value>"
        •   }
        • }]
  • Save the changes to the custom form. This will ensure the required validation only applies when the field itself is visible based on user input

Additional Information

  • This issue is specific to Service Broker Users with restricted privileges and custom forms involving external actions/workflows after applying the CVE-2024-22280 patch
  • A permanent fix will be available in future releases of Aria Automation (8.18.1) that eliminate redundant validations for external actions
Powered by Wolken Software