VMware on Tuesday launched software program to remediate 4 safety vulnerabilities affecting vRealize Log Insight (aka Aria Operations for Logs) that would expose customers to distant code execution assaults.
Two of the issues are vital, carrying a severity ranking of 9.8 out of a most of 10, the virtualization providers supplier famous in its first safety bulletin for 2023.
Tracked as CVE-2022-31706 and CVE-2022-31704, the listing traversal and damaged entry management points could possibly be exploited by a menace actor to attain distant code execution regardless of the distinction within the assault pathway.
“An unauthenticated, malicious actor can inject recordsdata into the working system of an impacted equipment which can lead to distant code execution,” the corporate mentioned of the 2 shortcomings.
A 3rd vulnerability pertains to a deserialization flaw (CVE-2022-31710, CVSS rating: 7.5) that could possibly be weaponized by an unauthenticated attacker to set off a denial-of-service (DoS) situation.
Lastly, vRealize Log Insight has additionally been discovered prone to an info disclosure bug (CVE-2022-31711, CVSS rating: 5.3) which might allow entry to delicate session and utility information with none authentication.
The Zero Day Initiative (ZDI) has been credited for reporting all the issues. Besides releasing model 8.10.2 to handle the problems, VMware has additionally supplied workarounds to mitigate them till the patches could be utilized.
While there is no such thing as a indication that the aforementioned vulnerabilities have been exploited within the wild, it is not unusual for menace actors to goal VMware home equipment of their assaults, making it important that the fixes are utilized as quickly as attainable.