VMware Response To CVE-2023-34063 (VMSA-2024-0001)
search cancel

VMware Response To CVE-2023-34063 (VMSA-2024-0001)

book

Article ID: 323211

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

  • CVE-2023-34063 details a missing access control vulnerability that impacts Aria Automation
  • VMware's response to this vulnerability is documented in VMSA-2024-0001
  • Please ensure that you have reviewed VMSA-2024-001  before proceeding with the instructions in the article.
The Aria Automation 8.16 release notes document a known issue that can impact environments post upgrade. This issue also impacted older versions after installing one of the original patches documented below. 
In response to this, VMware have released updated patches that mitigate the vulnerability documented in VMSA-2024-0001 and also includes a fix for the issue detailed in KB:314888

Resolution

All versions of Aria Automation 8.11.x, 8.12.x, 8.13.x and 8.14.x are impacted by this vulnerability
Customers running versions of Aria Automation that are passed their end of general support date are advised/recommended to upgrade to a supported version and then mitigate this issue as per the information provided in this article

To mitigate the vulnerability, VMware recommends upgrading to Aria Automation 8.16
Alternatively, patches are available for the Aria Automation versions listed below.

In response to the issue documented in KB:314888 , VMware have released updated patches.
The original patches fully mitigate the vulnerability documented in VMSA-2024-0001 , but introduced an issue with custom forms as detailed in KB:314888 
The later patches fully mitigate the vulnerability and resolve the custom form issue.

Aria Automation Version Original Patch Patch Including Fix For KB 96181
8.11.2 vrlcm-vra-8.11.2-8.11.2.30127.patch vrlcm-vra-8.11.2-8.11.2.30135.patch
8.12.2 vrlcm-vra-8.12.2-8.12.2.31368.patch vrlcm-vra-8.12.2-8.12.2.31375.patch
8.13.1 vrlcm-vra-8.13.1-8.13.1.32385.patch vrlcm-vra-8.13.1-8.13.1.32392.patch
8.14.1 vrlcm-vra-8.14.1-8.14.1.33501.patch vrlcm-vra-8.14.1-8.14.1.33507.patch
8.16 No Patch - Fix included in 8.16 GA  vrlcm-vra-8.16.0-8.16.0.33716.patch


To apply the patch, you must be running one of the versions listed above.
If the environment to be patched is running an earlier version, this must firstly be upgraded to one of the listed versions, and then the patch must be installed on that version.
For example:

  • The environment is running Automation 8.12
  • The environment must be upgraded to 8.12.2
  • The patch is to be installed on 8.12.2
  • Then install the patch detailed in the table below
    • Patch is to be installed on the Aria Automation appliances only
Aria Automation 8.16 is not impacted by this issue
There is no Aria Automation version 8.15

As documented in the Aria Automation 8.16 release notes, the fix for this issue changes how Aria Automation Orchestrator actions are executed by the form-service api and introduces checks to ensure that the action being executed is part of a catalog or day 2 operation.
As a result of these changes, VMware strongly recommend upgrading to Aria Automation 8.16 to mitigate the issue.
In addition, due to the nature of the changes, the upgrade path post installing one of the patches is Aria Automation 8.16 

Updating from a "patched" environment to a version other then Aria Automation 8.16 will re-introduce the vulnerability until the associated patch is installed.
 
Aria Automation   Version

Recommended Solution

              Alternative Solution                             Upgrade Path Post Patching               
8.11 Upgrade to Aria Automation 8.16 and install 
vrlcm-vra-8.16.0-8.16.0.33716.patch		 Upgrade to 8.11.2 and install patch Upgrade to Aria Automation 8.16 and install 
vrlcm-vra-8.16.0-8.16.0.33716.patch
8.11.1 Upgrade to Aria Automation 8.16 and install 
vrlcm-vra-8.16.0-8.16.0.33716.patch		 Upgrade to 8.11.2 and install patch Upgrade to Aria Automation 8.16 and install 
vrlcm-vra-8.16.0-8.16.0.33716.patch
8.11.2 Upgrade to Aria Automation 8.16 and install 
vrlcm-vra-8.16.0-8.16.0.33716.patch		 Install Patch on 8.11.2 Upgrade to Aria Automation 8.16 and install 
vrlcm-vra-8.16.0-8.16.0.33716.patch
8.12 Upgrade to Aria Automation 8.16 and install 
vrlcm-vra-8.16.0-8.16.0.33716.patch		 Upgrade to 8.12.2 and install patch Upgrade to Aria Automation 8.16 and install 
vrlcm-vra-8.16.0-8.16.0.33716.patch
8.12.1 Upgrade to Aria Automation 8.16 and install 
vrlcm-vra-8.16.0-8.16.0.33716.patch		 Upgrade to 8.12.2 and install patch Upgrade to Aria Automation 8.16 and install 
vrlcm-vra-8.16.0-8.16.0.33716.patch
8.12.2 Upgrade to Aria Automation 8.16 and install 
vrlcm-vra-8.16.0-8.16.0.33716.patch		 Install Patch on 8.12.2 Upgrade to Aria Automation 8.16 and install 
vrlcm-vra-8.16.0-8.16.0.33716.patch
8.13 Upgrade to Aria Automation 8.16 and install 
vrlcm-vra-8.16.0-8.16.0.33716.patch		 Upgrade to 8.13.1 and install patch Upgrade to Aria Automation 8.16 and install 
vrlcm-vra-8.16.0-8.16.0.33716.patch
8.13.1 Upgrade to Aria Automation 8.16 and install 
vrlcm-vra-8.16.0-8.16.0.33716.patch		 Install Patch on 8.13.1 Upgrade to Aria Automation 8.16 and install 
vrlcm-vra-8.16.0-8.16.0.33716.patch
8.14 Upgrade to Aria Automation 8.16 and install 
vrlcm-vra-8.16.0-8.16.0.33716.patch		 Upgrade to 8.14.1 and install patch Upgrade to Aria Automation 8.16 and install 
vrlcm-vra-8.16.0-8.16.0.33716.patch
8.14.1 Upgrade to Aria Automation 8.16 and install 
vrlcm-vra-8.16.0-8.16.0.33716.patch		 Install Patch on 8.14.1 Upgrade to Aria Automation 8.16 and install 
vrlcm-vra-8.16.0-8.16.0.33716.patch


Note: If one would like to upgrade to VMware Aria Automation 8.16, then VMware Aria Suite Lifecycle 8.14 Product Support Pack 4 must be applied"

Please refer to release notes: VMware Aria Suite Lifecycle 8.14 Product Support Pack Release Notes

The patches are to be installed using Aria Suite Lifecycle and the process is documented here and the required steps are also provided below .
Environments running older version that are end of support are recommended to upgrade to 8.16 or upgrade to a version that has a patch available, and then install the appropriate patch.

Procedure To Upgrade
The upgrade process is documented here

Procedure To Install A Patch
(This documents the process when patching the Automation appliance. Upgrading to Aria Automation 8.16 can be performed using the normal upgrade process)
(Screenshots provided are provided as a guide only. Details, such as versions etc. may differ in the environment to be patched)

Please ensure that you have created a snapshot of the Aria Automation appliance to be patched before proceeding with these steps.

1) Login to Aria Suite Lifecycle (formerly vRealize Suite Lifecycle Manager)
2) Click Lifecycle Operations, navigate to Settings > Binary Mappings.
3) Click Patch Binaries.
      

4) Click on "CHECK PATCHES ONLINE" to refresh the list of available patches
5) Once complete, filter for the required patch version i.e. 8.11
6) Click on download and wait for the request to complete.
     If the patches are not available, or there is no internet connectivity, see the steps below. Otherwise, skip to step 7 

a) The patches can also be downloaded and applied manually
b) Go to the "SolutionFiles - Support Portal - Broadcom support portal" page and login
c) Download the appropriate patch using the steps mentioned on the article: How to download Aria Suite Lifecycle Product Support Packs and Patches
d) Using WinSCP or similar copy the patch to a location on the Lifecycle Manager
             e.g. /data/patches/vra
e) Login to Lifecycle Manager and navigate to Settings - Binary Mapping - Patch Binaries
 
 
f) Select "Add Patch Binary", enter the location of the patch on the appliance, click on the appropriate patch and select ADD
       
                     
 g) Wait for the request to complete.

                         
7) Go to Environments and select the environment where the Aria Automation appliances to be updated are hosted
8) Select "View Details", click on the 3 dots and navigate to "Install patch"

    

9) Select the patch from the list of downloaded patches.



10) Click Next
11) Review and Install the available patch.

 

12) The patch install request progress can be tracked under Requests.

Remove the snapshot once the patch installation has completed


To view the history of patches, click Patches > History.




Click on History


Alternatively, the "vracli version patch" command can be used to validate that the patch is installed.
Note : The Product version and build numbers reported via the Aria Automation GUI will not change after installing any of the patches. Please use the steps below to validate the patch installation

1) Login the the Aria Automation appliance via an ssh session
2) Execute the command below
                    vracli version patch
3) This will list details any patch installed





4) Details of the patch numbers for each version is shown below

               
Original Patch 
Aria Automation Version Reported Patch Number
8.11.2 23104361
8.12.2 23104358
8.13.1 23104357
8.14.1 23104270


Cumulative Patch Including Fix for KB 314888

Aria Automation Version Reported Patch Numbers
8.11.2 23104361
23191939
8.12.2 23104358
23191130
8.13.1 23104357
23191129
8.14.1 23104270
23192207
8.16 23208597
 
Note
The Aria Automation 8.16 release notes document a known issue that can impact environments post upgrade. This issue can also impacted older version after installing one of the patches above. 
Please see KB:314888 for details. 

 

 
Powered by Wolken Software