January 25, 2023

VMWare Patches 2 Critical VMware vRealize Vulnerabilities

VMWare has patched two critical vulnerabilities in vRealize Log Insight that might allow a malicious actor to inject files into the operating systems of vulnerable appliances in order to gain remote code execution.

In addition to these critical vulnerabilities, VMware patched additional vulnerabilities that might allow a malicious actor to cause a denial of service and access sensitive session and application data.

The Critical Vulnerabilities

• CVE-2022-31706, (CVSS 3.1: 9.8, Critical) – Directory Traversal Vulnerability in vRealize Log Insight, might allow to an unauthenticated, malicious actor to inject files into the operating system of an impacted appliance and perform remote code execution.
• CVE-2022-31704, (CVSS 3.1: 9.8, Critical) – broken access control vulnerability in vRealize Log Insight, might allow to an unauthenticated, malicious actor to inject files into the operating system of an impacted appliance and perform remote code execution.

Affected Product

• VMware vRealize Log Insight prior to version 8.10.2

Mitigation

CYREBRO recommends patching all relevant products to mitigate the vulnerabilities. For a list of available patches and possible workarounds, please refer to the ‘Response Matrix’ section in the official advisory.

References: VMWare Advisory