Security News > 2023 > January > VMware Releases Patches for Critical vRealize Log Insight Software Vulnerabilities
VMware on Tuesday released software to remediate four security vulnerabilities affecting vRealize Log Insight that could expose users to remote code execution attacks.
Tracked as CVE-2022-31706 and CVE-2022-31704, the directory traversal and broken access control issues could be exploited by a threat actor to achieve remote code execution irrespective of the difference in the attack pathway.
A third vulnerability relates to a deserialization flaw that could be weaponized by an unauthenticated attacker to trigger a denial-of-service condition.
Lastly, vRealize Log Insight has also been found susceptible to an information disclosure bug which could permit access to sensitive session and application data without any authentication.
Besides releasing version 8.10.2 to address the issues, VMware has also provided workarounds to mitigate them until the patches can be applied.
While there is no indication that the aforementioned vulnerabilities have been exploited in the wild, it's not uncommon for threat actors to target VMware appliances in their attacks, making it essential that the fixes are applied as soon as possible.
News URL
https://thehackernews.com/2023/01/vmware-releases-patches-for-critical.html
Related news
- Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited (source)
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- VMware fixes critical vCenter Server RCE bug – again! (CVE-2024-38812) (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- VMware fixes critical RCE, make-me-root bugs in vCenter - for the second time (source)
- Week in review: Fortinet patches critical FortiManager 0-day, VMware fixes vCenter Server RCE (source)
- HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities (source)
- Patch Tuesday: Four Critical Vulnerabilities Paved Over (source)
- Critical vulnerabilities persist in high-risk sectors (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-01-26 | CVE-2022-31706 | Path Traversal vulnerability in VMWare Vrealize LOG Insight The vRealize Log Insight contains a Directory Traversal Vulnerability. | 9.8 |
| 2023-01-26 | CVE-2022-31704 | Unspecified vulnerability in VMWare Vrealize LOG Insight The vRealize Log Insight contains a broken access control vulnerability. | 9.8 |