Virtualization giant VMware has released patches for four vulnerabilities in its vRealize Log Insight product, two of which have a “Critical” severity rating.
The significant couple are CVE-2022-31703 and CVE-2022-31704. The first is a directory traversal vulnerability, while the second is a disabling access control vulnerability. Both have a severity score of 9.8, and they both allow threat actors to access resources that would otherwise be inaccessible.
“An unauthenticated malicious actor can inject files into the operating system of an affected device that could lead to remote code execution,” VMware explained.
Sensitive data is at risk
The other two flaws are CVE-2022-31710 and CVE-2022-31711. The first is a deserialization vulnerability that allows threat actors to tamper with data and launch denial-of-service attacks. It was given a severity score of 7.5. The latter is a 5.3 information disclosure error that can be leveraged to steal sensitive data.
To guard against the flaws, users are advised to apply the patch immediately, and bring their own endpoints (Opens in a new tab) to version 8.10.2. Those who cannot apply the patch at the moment can also apply the workaround, the instructions for which can be found here (Opens in a new tab).
The publication confirmed that the flaws were originally discovered through the Zero Day initiative. So far, members of the program said, there is no evidence of the flaws being misused in the wild.
“We are not aware of any public exploit code or active attacks using this vulnerability,” said Dustin Childs, Head of Threat Awareness at Trend Micro’s ZDI. log. “While there are no current plans to publish a proof-of-concept for this bug, our research into VMware and other virtualization technologies continues.”
vRealize Log Insight is a log management tool. Although not as popular as some of VMware’s other solutions, the company’s presence in both the public and private sectors likely makes all of its products an attractive target for cybercriminals looking for vulnerabilities.
Via: The Register (Opens in a new tab)