The company urges customers to update and patch Aria Automation immediately. Credit: IDG-Owned VMware has released updates for Aria Automation, its multi-cloud infrastructure automation platform for public, private and hybrid clouds, to fix a critical vulnerability that could allow authenticated attackers to access remote organizations and workflows. VMware Cloud Foundation, a suite of software-defined services for setting up private clouds, is also impacted if the products were deployed using the Aria Suite Lifecycle Manager. VMware describes the vulnerability (CVE-2023-34063) as a “missing access control” issue and rates it with 9.9 out of 10 on the CVSS severity scale. The flaw was privately reported to the company and VMware is not aware of any in-the-wild exploitation of the issue at this time. Update Aria Automation before patching vulnerability All supported versions of Aria Automation (formerly vRealize Automation) are affected. This includes versions 8.11.x, 8.12.x, 8.13.x and 8.14.x. While the company has released individual patches for each of these releases, it strongly recommends that users update the newly released 8.16 version. Users of affected VMware Cloud Foundation 4.x and 5.x deployments should use the VMware Aria Suite Lifecycle Manager to upgrade VMware Aria Automation to the fixed version. “To apply the patch, your system must be running the latest version of the major release,” the company said in a FAQ document for the vulnerability. “For example, if your system is on Aria Automation 8.12.1, you must first update to 8.12.2 before applying the patch. After patching, the only supported upgrade path is to move to version 8.16 or a newer version.” No action needed for Area Automation Cloud Aria Automation Cloud is not affected as mitigations have already been implemented on the server side by VMware which runs the service. VMware vCenter, VMware ESXi and Aria Orchestrator are also not affected, but notes that as of version 8.16 access to Automation Orchestrator is now governed by separate Orchestrator service roles. The company also warns that if users choose to upgrade to intermediate versions, for example from 8.12.x to 8.13.x instead of upgrading to 8.16, the vulnerability will be reintroduced and a new round of patching will be required.“There may be other mitigations and compensating controls that could be applicable within your organization, dependent on your security posture, defense-in-depth strategies, and the configurations of perimeter and appliance firewalls,” the company said. “Each organization must assess for themselves whether to rely on these protections and how to effectively configure these measures for their environment.” Related content news AT&T suffers critical breach impacting 73 million customers Data released on the dark web impacts 7.6 million existing account holders and 65.4 million past subscribers. By Shweta Sharma 01 Apr 2024 4 mins Data Breach feature Recruit for diversity: Practical ways to remove bias from the hiring process Changing the wording on job descriptions and introducing a diverse hiring panel are some of the ways to remove bias when hiring cybersecurity professionals. By Aimee Chanthadavong 01 Apr 2024 8 mins Careers feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff 01 Apr 2024 17 mins Technology Industry IT Skills Events news Top cybersecurity product news of the week New product and service announcements from Bedrock Security, GitGuardian, Legit Security, Nametag, and Cybereason and Observe By CSO staff 29 Mar 2024 70 mins Generative AI Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe