VMware: Addressing Security Vulnerabilities CVE-2023-34039 and CVE-2023-20890 in VMware Aria
Addressing Security Vulnerabilities CVE-2023-34039 and CVE-2023-20890 in VMware Aria Operations for Networks (Formerly vRealize Network Insight) On-Prem installations (94152)
Symptoms
Multiple vulnerabilities in Aria Operations for Networks were responsibly reported to VMware.
Patches and updates are available to remediate these vulnerabilities in vRNI 6.2.0 / 6.3.0 / 6.4.0 / 6.5.1 / 6.6.0 / 6.7.0 / 6.8.0 / 6.9.0 / 6.10.0
CVE-2023-34039:
Aria Operations for Networks contains an Authentication Bypass Vulnerability
CVE-2023-20898:
Aria Operations for Networks contains an arbitrary file write vulnerability.
These vulnerabilities and their impacts on Aria Operations for Networks are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:
https://www.vmware.com/security/advisories/VMSA-2023-0018.html
Impact / Risks
Aria Operations for Networks(Formerly vRealize Network Insight) On-Prem versions 6.2 / 6.3 / 6.4 / 6.5.1 / 6.6 / 6.7 / 6.8 / 6.9 / 6.10.
Resolution
Security Vulnerability are fixed in Aria Operations for Networks version 6.11.0.
To mitigate the vulnerability, VMware highly recommends applying the below patches for Aria Operations for Networks versions 6.2 / 6.3 / 6.4 / 6.5.1 / 6.6 / 6.7 / 6.8 / 6.9 / 6.10.
Patch for Aria Operations for Networks version 6.2.0
| Patch Download / Build Number | Download the Patch here Build number: 1688977536 |
| File Name | VMware-vRNI.6.2.0.P9.1688977536.patch.bundle |
| Size | 257.67 MB |
| MD5SUM | 8feaf7990529889b75e2f26a6ff3c376 |
| SHA1SUM | ccd62c1b69b2876b0152d6971ee83f5909d7b8b7 |
| SHA256SUM | b236d52fdcc94aa96ae0144e99b002f703730c065d996a4cf5021c7777eab802 |
Patch for Aria Operations for Networks version 6.3.0
| Patch Download / Build Number | Download the Patch here Build number: 1688986302 |
| File Name | VMware-vRNI.6.3.0.P6.1688986302.patch.bundle |
| Size | 794.35 MB |
| MD5SUM | e12ffa4a85c32eb662ee385f8d655a9c |
| SHA1SUM | a698b62502324f70a5de2eb6cbedceb17f782383 |
| SHA256SUM | fd06ebeb2ea72edb95c036a0c5595f4f7f96388cd7254c15b6aeb428d9b68258 |
Patch for Aria Operations for Networks version 6.4.0
| Patch Download / Build Number | Download the Patch here Build number: 1689079386 |
| File Name | VMware-vRNI.6.4.0.P10.1689079386.patch.bundle |
| Size | 871.2 MB |
| MD5SUM | a1c1787cf2851a97d4841bee41f2a43a |
| SHA1SUM | 2f8c236a6c57d727f8fd678986f4cba49bb41af1 |
| SHA256SUM | aa0512f11b3bce23151f907dffbbd960b3ab6d7908ebf436f48b525fca021d62 |
Patch for Aria Operations for Networks version 6.5.1
| Patch Download / Build Number | Download the Patch here Build number: 1688974096 |
| File Name | VMware-vRNI.6.5.1.P8.1688974096.patch.bundle |
| Size | 813.15 MB |
| MD5SUM | 6faf92058773f1fca8648ac347049491 |
| SHA1SUM | 674a6db2b7fccf19dffc3f5d2c359ceae9bbaf46 |
| SHA256SUM | 4b3c96cfaa9c15bd3a3e45ed6902f15c80d54bcbb4bf05015be8587467b2b60e |
Patch for Aria Operations for Networks version 6.6.0
| Patch Download / Build Number | Download the Patch here Build number: 1688979729 |
| File Name | VMware-vRNI.6.6.0.P6.1688979729.patch.bundle |
| Size | 773.44 MB |
| MD5SUM | 044a4e5698778b99dbec4df4e94d7f84 |
| SHA1SUM | e3ee9f87b69cf64ad0bdd5aa48fa59c55b93a037 |
| SHA256SUM | c12920451ef5b6a752b80c33ece088fe55525315b59f72b9d232632cc157894e |
Patch for Aria Operations for Networks version 6.7.0
| Patch Download / Build Number | Download the Patch here Build number: 1688972173 |
| File Name | VMware-vRNI.6.7.0.P6.1688972173.patch.bundle |
| Size | 849.97 MB |
| MD5SUM | ffe6ac2d299e8ace98b1a69a42568800 |
| SHA1SUM | 7b57e80466aa95814968f7a956d9c60a9be4d2c4 |
| SHA256SUM | 85fbf5c55aa1b37b9b18fb11671f12148e8af12c69d8bdf7b3f042b727552446 |
Patch for Aria Operations for Networks version 6.8.0
| Patch Download / Build Number | Download the Patch here Build number: 1688989059 |
| File Name | VMware-vRNI.6.8.0.P3.1688989059.patch.bundle |
| Size | 749.4 MB |
| MD5SUM | faa69c996a77e342fbdb93a86e07719d |
| SHA1SUM | 6bff63080b4d1fbecd82ddeb802c55d861782377 |
| SHA256SUM | 89bd71e10322a20b565815f5ce08b5a7ebfe760434338272c2cb97a4ef1dc00e |
Patch for Aria Operations for Networks version 6.9.0
| Patch Download / Build Number | Download the Patch here Build number: 1688995771 |
| File Name | VMware-vRNI.6.9.0.P5.1688995771.patch.bundle |
| Size | 778.77 MB |
| MD5SUM | f9e2bd4232235360bfc5a7e30e579469 |
| SHA1SUM | 0f59ae05f1f4494a019744a3d83e5d87abcd51c9 |
| SHA256SUM | ba46a8f51421c933daa91a0e7f6af9ae7dd8494ecce174d81bb087b4bbbacc66 |
Patch for Aria Operations for Networks version 6.10.0
| Patch Download / Build Number | Download the Patch here Build number: 1692934256 |
| File Name | VMware-AriaOpNetworks.6.10.0.P4.1692934256.patch.bundle |
| Size | 803.15 MB |
| MD5SUM | d982c28f394368316c244e0bb7e44c3a |
| SHA1SUM | 73d9f0f3b5c3bcff09006fbe5e636fa0f9d16b07 |
| SHA256SUM | 2c9b7c962f8830b60666c781fc66599f73cae1444e2c42444a85c978c37ea1f5 |
Note:
1. Above patches are cumulative of any previous patches for the same version.
2. Before you download and apply the security patch (s) for your Aria Operations for Network deployment, it is advised to perform clean up using steps mentioned in VMware KB: https://kb.vmware.com/s/article/88977 to avoid issues with patch upgrade failing with Insufficient disk space toast message.
Procedure to apply patch bundle via Aria Operations for Networks GUI:
- Download the update patch file and save the file on your local system.
- Log into the vRealize Network Insight GUI as an Administrator user.
Note: The default admin@local account can be used.
3. Navigate to Settings > Install and Support > Overview and Updates, then under Product, select Click here.
4. Click Browse to select the locally downloaded patch file and click Upload.
Notes:
- When the upload is complete, Aria Operations for Networks shows the Bundle Upload Complete message notification within 2-3 minutes and the bundle processing happens in the background.
- Until the upload of the package happens, ensure that the session is not closed. If the session ends, you have to restart the upload process.
- Do not refresh the page after bundle upload, until you see the Update Available message notification.
5. In the Bundle Available message notification, click View details.
Aria Operations for Networks Update screen appears.
- Read the Before you proceed instruction and click Continue.
- Wait for the pre-checks to complete, which verifies:
- the disk space, including the space required for migration
- the version
- the NTP sync status
- the bundle checksum
- Click Install Now.
You can see the approximate time required to complete the update process on your setup.
- Once the update process begins, the Aria Operations for Networks Update screen provides the status of the update process.
Notes:
- If a node becomes inactive, the update process does not continue. The update will not resume until the node becomes active again.
- Once the platforms are updated, you can resume your normal Aria Operations for Networks operations even though the collector update happens in parallel. Until the update process is completely over, the Node Version Mismatch detected the message is shown in the Install and Support page.
- Upon the completion of the update process, you see the below confirmation message.
All platform and the collector nodes are updated.
Procedure to apply patch bundle via vRSLCM / VMware-Aria-Suite-Lifecycle 8.12: GUI:
Refer to below mentioned documentations for the steps for VMware vRSLCM/VMware-Aria-Suite-Lifecycle 8.12 respectively:
1. VMware vRSLCM 8.10 and earlier:
https://docs.vmware.com/en/VMware-vRealize-Suite-Lifecycle-Manager/8.10/com.vmware.vrsuite.lcm.8.10.doc/GUID-DB30A1A6-6DD4-421A-BADF-3C60C21FF456.html
2. VMware-Aria-Suite-Lifecycle 8.12:
https://docs.vmware.com/en/VMware-Aria-Suite-Lifecycle/8.12/lifecycle-install-upgrade-manage/GUID-DB30A1A6-6DD4-421A-BADF-3C60C21FF456.html
About Author
