VMWare published an advisory on 20th Apr 2023 in which it disclosed two vulnerabilities in VMware Aria. The flaw tracked as CVE-2023-20864 is rated Critical with a CVSS score of 9.8, and another one which is tracked under the identifier CVE-2023-20865, is rated Medium or Important in severity with a CVSS score of 5.3 respectively. As per the report, attackers could abuse these vulnerabilities to carry out remote code execution as root. Considering the severity of the flaws, it is highly recommended that all the organizations should work on patching the flaws on their VMWare Aria immediately. We have created this post to help you know how to fix CVE-2023-20864, a critical Logs Deserialization Vulnerabilityin VMware Cloud Foundation.
A Short Introduction About VMware Aria
VMware Aria, formerly known as vRealize Log Insight is a multi-cloud management portfolio designed to manage the cost, performance, configuration, and delivery of infrastructure and applications for cloud-native environments. It is powered by VMware Aria Graph, a cloud-scale data store technology that captures and maps the complexity of multi-cloud environments in a single view. VMware Aria offers solutions for cloud governance, cloud migration, and business insights at scale. It is designed to address the emerging cross-cloud and cross-discipline management challenges faced by enterprises. With the launch of VMware Aria, VMware is unifying its cloud management offerings under a single family name, providing a set of end-to-end solutions for managing multi-cloud environments.
Key Features of VMware Aria:
- Cloud management portfolio that unifies applications, infrastructure, and services across private, hybrid, and public clouds from a single platform with a common data model.
- Provides true multi-cloud management with near real-time visibility.
- Offers intelligent cloud delivery solution.
- Helps to streamline IT operations and delivers faster time to market.
- Provides a single management console to manage virtual and physical infrastructure.
- Enables customers to optimize resource utilization and reduce costs.
- Offers a range of management and automation tools to simplify governance and compliance.
Summary of CVE-2023-20864
This is a Logs Deserialization Vulnerability in VMware Aria (formerly vRealize Log Insight). This vulnerability is rated critical and assigned a CVSS score of 9.8 out of 10. It allows an unauthenticated, remote attacker to exploit these vulnerabilities and execute arbitrary code on vulnerable versions of VMware Aria.
| Associated CVE ID | CVE-2023-20864 |
| Description | A Critical Logs Deserialization Vulnerability in VMware Aria |
| Associated ZDI ID | – |
| CVSS Score | 9.8 critical |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Impact Score | – |
| Exploitability Score | – |
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low |
| Privilege Required (PR) | None |
| User Interaction (UI) | None |
| Scope | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | High |
| availability (a) | High |
Summary of CVE-2023-20865
This is a Command Injection Vulnerability in VMware Aria (formerly vRealize Log Insight). This vulnerability is rated medium or important and assigned a CVSS score of 7.2 out of 10. It allows an unauthenticated, remote attacker to exploit these vulnerabilities and execute arbitrary code on vulnerable versions of VMware Aria.
| Associated CVE ID | CVE-2023-20865 |
| Description | A Command Injection Vulnerability in VMware Aria |
| Associated ZDI ID | – |
| CVSS Score | 7.2 Medium |
| Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Impact Score | – |
| Exploitability Score | – |
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low |
| Privilege Required (PR) | High |
| User Interaction (UI) | None |
| Scope | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | High |
| availability (a) | High |
VMware Aria Versions Affected by The Vulnerabilities
As per the VMSA-2023-0007, the CVE-2023-20864 vulnerability affects only v8.10.2. and the CVE-2023-20865 vulnerability affects 8.6.x, 8.8.x, 8.10, and 8.10.2.
| Vulnerability CVE ID | Affected Versions |
| CVE-2023-20864 | 8.10.2 |
| CVE-2023-20865 | 8.6.x, 8.8.x, 8.10, and 8.10.2 |
How to Fix CVE-2023-20864 And CVE-2023-20865?
VMWare has released patches to fix the vulnerabilities. All the users are advised to upgrade there VMWare Aria to v8.12.
How to Upgrade VMWare Aria?
Upgrading VMware Aria Operations can sound like a tedious task, but following these best practices will help ensure a successful upgrade. This section will guide you through the recommended steps to take before, during, and after the upgrade to ensure your environment remains functional and your customized content remains intact.
Time needed: 30 minutes.
How to Upgrade VMWare Aria?
-
- Run the Health Checks and Verify Existing FunctionalityBefore starting an upgrade, run a general health check to ensure your environment is fully functional before starting the upgrade. Document any working (or non-working) features to verify their status after the upgrade is complete.
- Backup Customized ContentTo prevent data loss during the upgrade, make sure to back up all customized content.
- Take Snapshots of VMs with ClusterAfter verifying functionality and backing up customized content, create snapshots of all analytics VMs within the cluster. This serves as a failsafe in case of an upgrade failure.
- Confirm Management Packs InteroperabilitySome management packs may not be compatible with the new product version, which could render them inoperable. Check the interoperability of your management packs with the updated version before upgrading.
See VMware Product Interoperability Matrix and VMware Compatibility Guide for supported management pack versions. - Schedule Upgrade Timing WiselyPerform the upgrade outside of the dynamic threshold, capacity calculations, costing, or backup processing periods. This helps avoid capturing high-stress states.
- Set Maintenance Window to Prevent False AlertsSchedule a maintenance window during the upgrade or cluster resizing to avoid receiving false alerts and notifications.
- Review Validation Checks RecommendationsA pre-check upgrade validation script runs before the actual upgrade. Address any failures or warnings before proceeding with the upgrade to prevent potential issues.
- Reset Default Content OptionSelect the option to reset default content and import new content. This will overwrite existing content with the updated version provided by the update. Make sure to clone or back up any modified content before proceeding.
- Upgrade the OS PAK Before the Virtual Appliance (VA) PAKFor VMware Aria Operations 7.5 and lower, upgrade the OS of the virtual appliance before upgrading VMware Aria Operations to ensure a stable base.
- Use the Correct VMware Aria Operations Upgrade PAK FileStarting with VMware Aria Operations 8.1, there are two PAK files available for upgrade. Choose the appropriate file for your specific upgrade scenario.
- Verify Functionality After UpgradingAfter completing the upgrade, validate that the same functionality exists as before the upgrade began.
- Remove VM Snapshots Once Upgrade is VerifiedRemove all VM snapshots after verifying the environment post-upgrade to prevent performance issues.
- Consider Cloud Proxies Upgrade ImplicationsBe mindful of potential latency and performance issues when upgrading cloud proxies, especially if they are located far from the VMware Aria Operations cluster. Ensure cloud proxies meet latency requirements of less than 200 ms. If not, remove high-latency cloud proxies from the cluster one by one following the outlined process.
- Cluster Best PracticesDuring the upgrade process, it is crucial to adhere to best practices concerning clusters. This will ensure a smooth and successful upgrade experience.