VMware Releases Patches for Critical vRealize Log Insight Software Vulnerabilities

Jan 25, 2023Ravie LakshmananSoftware Security / VMware

VMware on Tuesday released software to remediate four security
vulnerabilities affecting vRealize Log Insight^[1]
(aka Aria Operations for Logs) that could expose users to remote
code execution attacks.

Two of the flaws are critical, carrying a severity rating of 9.8
out of a maximum of 10, the virtualization services provider noted
in its first security bulletin for 2023.

Tracked as CVE-2022-31706 and CVE-2022-31704, the directory
traversal and broken access control issues could be exploited by a
threat actor to achieve remote code execution irrespective of the
difference in the attack pathway.

“An unauthenticated, malicious actor can inject files into the
operating system of an impacted appliance which can result in
remote code execution,” the company said^[2]
of the two shortcomings.

A third vulnerability relates to a deserialization flaw
(CVE-2022-31710, CVSS score: 7.5) that could be weaponized by an
unauthenticated attacker to trigger a denial-of-service (DoS)
condition.

Lastly, vRealize Log Insight has also been found susceptible to
an information disclosure bug (CVE-2022-31711, CVSS score: 5.3)
which could permit access to sensitive session and application data
without any authentication.

The Zero Day Initiative (ZDI) has been credited for reporting
all the flaws. Besides releasing version 8.10.2 to address the
issues, VMware has also provided
workarounds^[3] to mitigate them until
the patches can be applied.

While there is no indication that the aforementioned
vulnerabilities have been exploited in the wild, it’s not uncommon
for threat actors to target^[4]
VMware appliances^[5]
in their attacks, making it essential that the fixes are applied as
soon as possible.