VMware has issued fixes for four vulnerabilities, including two critical 9.8-rated remote code execution bugs, in its vRealize Log Insight software.
There are no reports (yet) of nation-state thugs or cybercriminals finding and exploiting these bugs, according to VMware. However, it’s a good idea to patch sooner than later to avoid being patient zero.
vRealize Log Insight is a log management tool – everyone’s favourite tas, not – and while it may not be as popular as some of the virtualization giant’s other products, VMware’s ubiquity across enterprises and governments and practice of bundling products means holes in its products are always very attractive targets for miscreants looking to make a buck and/or steal sensitive information.
Case in point: the state-sponsored Iranian crew that, in November, exploited the high-profile Log4j vulnerability to infiltrate an unpatched VMware Horizon server within the US federal government and deployed the XMRig crypto miner.
The two most serious bugs in today’s security advisory include a directory traversal vulnerability (CVE-2022-31703) and a broken access control vulnerability (CVE-2022-31704). Both received a near-perfect 9.8 out of 10 CVSS rating.
While the two flaws provide different paths for a miscreant to gain unauthorized access to restricted resources, the result of a successful exploit is the same.
“An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution,” VMware warned about both critical bugs.
The third bug, CVE-2022-31710, is a deserialization vulnerability in vRealize Log