Virtualization giant VMware has released patches for four vRealize Log Insight vulnerabilities, two of which are rated “critical” severity.
The critical pair is CVE-2022-31703 and CVE-2022-31704. The first is a directory browsing vulnerability and the second is a broken access control vulnerability. Both received a severity rating of 9.8 and both allow cybercriminals to access resources that would otherwise be inaccessible.
“An unauthenticated malicious actor could inject files into the affected device’s operating system, which could result in remote code execution,” VMware explained.
Sensitive data at risk
The other two vulnerabilities are CVE-2022-31710 and CVE-2022-31711. The first is a deserialization vulnerability that allows cybercriminals to manipulate data and launch denial-of-service attacks. It received a severity rating of 7.5. The latter is an information disclosure bug with a score of 5.3 that can be used to steal sensitive data.
To protect against defects, users are advised to apply the patch immediately and take their endpoints with them (opens in a new tab) up to version 8.10.2. Those unable to apply the patch now can also apply the workaround for which instructions can be found here (opens in a new tab).
The publication confirmed that the flaws were originally discovered by the Zero Day Initiative. Members of the program said that so far there is no evidence of abuse of these defects in the wild.
“We are not aware of any public exploit code or active attacks that exploit this vulnerability,” said Dustin Childs, head of Threat Awareness at Trend Micro ZDI Register. “Although we do not currently plan to publish a proof of concept for this bug, our research into VMware and other virtualization technologies continues.”
vRealize Log Insight is a log management tool. While not as popular as some of VMware’s other solutions, the company’s presence in both the public and private sectors most likely makes all of its products attractive targets for cybercriminals looking for vulnerabilities.
Through: Register (opens in a new tab)