VMware has fixed a critical vRealize Log Insight security vulnerability that allows remote attackers to obtain remote execution on vulnerable appliances.

Now known as VMware Aria Operations for Logsthis log analysis tool helps manage terabytes of application and infrastructure logs in large-scale environments.

The bug (tracked as CVE-2023-20864) is described as a deserialization vulnerability that can be exploited to execute arbitrary code as root on compromised systems.

CVE-2023-20864 can be remotely exploited by unauthenticated malicious actors in low-complexity attacks that do not require user interaction.

Today, VMware also released security updates for a second security flaw (tracked as CVE-2023-20865) that allows remote attackers with administrative privileges to execute arbitrary commands as than root.

These two vulnerabilities have been fixed with the publication of VMware Aria Operations for Logs 8.12. There is no evidence that these security bugs were exploited in the wild before they were fixed.

“CVE-2023-20864 is a critical issue and should be fixed immediately per the advisory instructions. It should be noted that only version 8.10.2 is affected by this vulnerability (CVE-2023-20864)”, VMware said.

“Other versions of VMware Aria Operations for Logs (formerly vRealize Log Insight) are affected by CVE-2023-20865, but this has a lower CVSSv3 score of 7.2.”

Two more critical vRealize bugs fixed in January

In January, the company approached another pair of critical vulnerabilities (CVE-2022-31706 and CVE-2022-31704) affecting the same product and allowing remote code execution, as well as vulnerabilities that can be exploited for information theft (CVE-2022-31711) and attacks by denial of service (CVE-2022 -31710).

A week later, security researchers from the Horizon3 attack team proof-of-concept (PoC) code released to chain together three of the four bugs to help attackers execute code remotely as root on compromised VMware vRealize appliances.

Although only a few dozen instances of VMware vRealize are exposed online, that’s to be expected, as these appliances are designed only to be accessed from organizations’ internal networks.

However, it is not uncommon for attackers to exploit vulnerabilities affecting devices in already compromised networks, making properly configured but vulnerable VMware appliances valuable internal targets.