On Wednesday, Broadcom-owned VMware announced the release of a patch for a high-risk SQL injection vulnerability in its Aria Automation product. With a CVSS score of 8.5 out of 10, the vulnerability has been rated as “high-severity” and is marked as CVE-2024-22280.
The vulnerability VMware describes stems from inadequate input validation in Aria Automation, which allows authorized execution of specially designed SQL queries. This enables unauthorized read and write operations on the database, and it poses a severe safety risk.
The included versions include VMware Aria Automation 8.x and VMware Cloud Foundation 5.x and 4.x. VMware emphasized the need to apply patches quickly, given the potential for significant data manipulation and access breaches.
For example, imagine that a company’s database is a high-security vault. In general, only authorized personnel with a valid key can access or make changes to its contents. However, this vulnerability resembles a flaw in the vault’s lock mechanism, which allows any special tool with limited access (in this case, created SQL queries) to open the vault and manipulate its contents undetected.
The flaw was privately reported by researchers at the Quebec Center Government de Cyberdefense (CGCD), prompting VMware to swiftly develop and release critical patches, demonstrating their proactive approach to security.
VMware’s advisor emphasizes the importance of constant innovation and alertness in cybersecurity practices. Users are strongly recommended to apply these patches immediately to protect against possible exploitation.
Users should refer to the official VMware Advisory for more information about the vulnerability and detailed instructions for applying the patch.
