VMware Aria Operations for Networks formerly vRNI (vRealize Network Insight) helps you build an optimized, highly available and secure network infrastructure across hybrid and multi-cloud environments. It provides network visibility and analytics to accelerate micro-segmentation security, minimize risk during application migration, optimize network performance and confidently manage and scale VMware NSX, VMware SD-WAN, and Kubernetes deployments.
Multiple vulnerabilities in Aria Operations for Networks were responsibly reported to VMware.
CVE-2023-34039:
Aria Operations for Networks contains an Authentication Bypass Vulnerability
CVE-2023-20898:
Aria Operations for Networks contains an arbitrary file write vulnerability.
Impact / Risks (Affected Versions)
Aria Operations for Networks (Formerly vRealize Network Insight) On-Prem versions 6.2 / 6.3 / 6.4 / 6.5.1 / 6.6 / 6.7 / 6.8 / 6.9 / 6.10.
Resolution
Security Vulnerability are fixed in Aria Operations for Networks version 6.11.0.
To mitigate the vulnerability, VMware highly recommends applying the patches can be downloaded from VMware KB 94152 for Aria Operations for Networks versions 6.2 / 6.3 / 6.4 / 6.5.1 / 6.6 / 6.7 / 6.8 / 6.9 / 6.10.
How to Apply the Patch for VMware Aria Operations for Networks (vRNI)
1. If you are running on any of the affected version of VMware Aria Operations for Networks. Download the respective patch for based on your vRNI version from the VMware KB 94152
2. In my case, I am running with VMware Aria Operations for Networks 6.7. So, I have downloaded the patch file “VMware-vRNI.6.7.0.P6.1688972173.patch.bundle”
3. Log into the vRealize Network Insight GUI as an Administrator user. The default admin@local account can be used.
4. Navigate to Settings > Install and Support > Overview and Updates, then under Product, select Click here. Click Browse to select the locally downloaded patch file and click Upload.
When the upload is complete, Aria Operations for Networks shows the Bundle Upload Complete message notification within 2-3 minutes and the bundle processing happens in the background.
Until the upload of the package happens, ensure that the session is not closed. If the session ends, you have to restart the upload process. Do not refresh the page after bundle upload, until you see the Update Available message notification.
5. In the Bundle Available message notification, click View details. Aria Operations for Networks Update screen appears.
6. Read the Before you proceed instruction and click Continue. Wait for the pre-checks to complete, which verifies:
- the disk space, including the space required for migration
- the version
- the NTP sync status
- the bundle checksum
Ensure all the checks are completed. Once all the checks are green. Install Now option will be enabled. Click Install Now.
7. Once the update process begins, the Aria Operations for Networks Update screen provides the status of the update process.
Upon the completion of the update process, you see the below confirmation message. All platform and the collector nodes are updated. Click Done.
That’s it. We are done with completing the patching for Security Vulnerabilities CVE-2023-34039 and CVE-2023-20890 in VMware Aria Operations for Networks (Formerly vRealize Network Insight).
I hope this is informative for you. Kindly share it with social media, if you feel worth sharing it.