VMware on Tuesday released security patches to address vulnerabilities in vRealize Log Insight that could allow attackers to achieve remote execution on unpatched appliances.
vRealize Log Insight (now called VMware Aria Operations for Logs) is a log management and analysis tool that can analyze terabytes of infrastructure and application logs in VMware environments.
The first critical bug patched today is CVE-2022-31703 and is described as a directory traversal vulnerability that malicious actors can exploit to inject files into the operating system of affected devices in order to execute remote code.
The second (tracked as CVE-2022-31704) is a broken access control flaw that can also be exploited to achieve remote code execution on vulnerable devices by injecting maliciously crafted files.
Both vulnerabilities are labeled as critically severe with CVSS Base Scores of 9.8/10 and can be exploited by unauthenticated malicious actors in low-complexity attacks that do not require user interaction.
Today, VMware also discussed a deserialization vulnerability (CVE-2022-31710) that can be used to trigger a denial of service state and an information disclosure bug (CVE-2022-31711) that can be exploited to access sensitive session and application information .
The company said the vulnerabilities were patched with VMware vRealize Log Insight 8.10.2. None of the security bugs patched today have been identified as being exploited in the wild.
Workaround also available
VMware provides step-by-step instructions on upgrading to the latest version of vRealize Log Insight here.
The company also shared an interim fix for administrators who cannot immediately deploy today’s security updates to their environments.
To apply the workaround, log in to each vRealize Log Insight node in your cluster as root via SSH and run a script (provided by VMware here).
Administrators are also advised to validate the workaround by logging each node on which the workaround script was run.
If the workaround was applied successfully, you should receive a message that “workaround for VMSA-2023-0001 was implemented successfully”.
Last month, VMware also patched a critical EHCI controller heap out-of-bounds write flaw (CVE-2022-31705) affecting ESXi, Workstation, and Fusion that may lead to code execution and a command injection vulnerability (CVE-2022-31702 ) which allows command execution without authentication via the vRNI REST API.