Security News > 2023 > January > VMware Releases Patches for Critical vRealize Log Insight Software Vulnerabilities
VMware on Tuesday released software to remediate four security vulnerabilities affecting vRealize Log Insight that could expose users to remote code execution attacks.
Tracked as CVE-2022-31706 and CVE-2022-31704, the directory traversal and broken access control issues could be exploited by a threat actor to achieve remote code execution irrespective of the difference in the attack pathway.
A third vulnerability relates to a deserialization flaw that could be weaponized by an unauthenticated attacker to trigger a denial-of-service condition.
Lastly, vRealize Log Insight has also been found susceptible to an information disclosure bug which could permit access to sensitive session and application data without any authentication.
Besides releasing version 8.10.2 to address the issues, VMware has also provided workarounds to mitigate them until the patches can be applied.
While there is no indication that the aforementioned vulnerabilities have been exploited in the wild, it's not uncommon for threat actors to target VMware appliances in their attacks, making it essential that the fixes are applied as soon as possible.
News URL
https://thehackernews.com/2023/01/vmware-releases-patches-for-critical.html
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-01-26 | CVE-2022-31706 | Path Traversal vulnerability in VMWare Vrealize LOG Insight The vRealize Log Insight contains a Directory Traversal Vulnerability. | 9.8 |
| 2023-01-26 | CVE-2022-31704 | Unspecified vulnerability in VMWare Vrealize LOG Insight The vRealize Log Insight contains a broken access control vulnerability. | 9.8 |