2024-12-26 16:40:32 Pacfic
VMware Patches Multiple Vulnerabilities in Aria Operations - 26d
VMware has urgently released patches for five critical vulnerabilities affecting its Aria Operations product (formerly VMware vRealize Operations). These vulnerabilities, ranging in severity from Important to Moderate, could allow for both privilege escalation and Cross-Site Scripting (XSS) attacks. The most severe vulnerabilities, CVE-2024-38830 and CVE-2024-38831, could allow a malicious actor with local administrative privileges to gain root access to the Aria Operations appliance, potentially leading to complete system compromise.
The remaining three vulnerabilities are categorized as stored XSS flaws. These vulnerabilities, while less severe in terms of direct system access, could still allow attackers with sufficient access to inject malicious scripts. This injection could result in unauthorized actions or the theft of sensitive data, highlighting the need for robust security measures within cloud management platforms. Versions 8.x of Aria Operations and VMware Cloud Foundation (4.x and 5.x) are affected.
VMware urges users to update to version 8.18.2 or later to mitigate these risks immediately. The company has thanked security researchers from MoyunSec Vlab, Michelin CERT, and independent researchers for responsibly disclosing these vulnerabilities. While there are no reports of active exploitation yet, the potential for significant damage underscores the critical importance of applying the available patches without delay. No workarounds are available for users unable to immediately update their systems.
ImgSrc: securityonline.info
References:
- Security Archives - VMware fixed five vulnerabilities in Aria Operations product - 27d
- Vulnerability Archives - VMware Aria Operations Hit By Multiple Vulnerabilities - 27d
- @heiseonlineenglish - Root security vulnerabilities in VMware Aria Operations closed - 27d
- @heiseonlineenglish - Root security vulnerabilities in VMware Aria Operations closed - 26d
- www.heise.de - Heise Online reports on root security vulnerabilities found and patched in VMware Aria Operations. - 26d
Classification:
- HashTags: VMware vulnerability securityupdate
- Company: VMware
- Target: VMware Aria Operations users
- Product: Aria Operations
- Type: Vulnerability
- Severity: Medium