January 16, 2024 at 09:12AM
VMware has urged customers to patch a critical vulnerability (CVE-2023-34063, CVSS score of 9.9) affecting Aria Automation and Cloud Foundation. The missing access control flaw could allow unauthorized access to remote organizations and workflows. VMware has released patches for impacted versions and credited external researchers for discovering the vulnerability. Threat actors have exploited VMware product vulnerabilities in the past.
Based on the meeting notes, the key takeaways are as follows:
1. VMware has identified a critical vulnerability, CVE-2023-34063, in its Aria Automation platform (formerly vRealize Automation) and Cloud Foundation, with a CVSS score of 9.9. This vulnerability poses a significant risk as it could allow an authenticated attacker to gain unauthorized access to remote organizations and workflows.
2. VMware has released patches for the impacted versions and is urging customers to install them promptly to mitigate the risk. It is important for organizations to consult with their information security staff to determine the best course of action tailored to their specific needs.
3. The vulnerability was reported by the Scientific Computing Platforms team at the Commonwealth Scientific and Industrial Research Organisation (CSIRO), and VMware is not currently aware of any in-the-wild exploitation.
4. Threat actors commonly exploit vulnerabilities in VMware products, as evidenced by the US security agency CISA’s catalog of known exploited vulnerabilities, which includes 21 VMware bugs affecting Aria products.
5. The urgency of addressing this vulnerability is emphasized by VMware’s acknowledgment of the situation as an emergency change, necessitating prompt action from organizations.
6. Additional related critical security flaws in VMware products, including VMware Cloud Director Appliance and vCenter, further underscore the importance of addressing and prioritizing security patches and updates.
These takeaways outline the urgency and importance of addressing the identified vulnerability through prompt patch installation and collaboration with organizational information security staff to tailor the response to specific circumstances.