VMware fixes four serious vRealize vulnerabilities

Red padlock open on electric circuits network dark red background
(Image credit: Shutterstock/Chor muang)

Virtualization giant VMware has released patches for four vulnerabilities in its vRealize Log Insight product, two of which have a “critical” severity rating.

The critical pair are CVE-2022-31703 and CVE-2022-31704. The former is a directory traversal vulnerability, while the latter is a broken access control vulnerability. Both were given a 9.8 severity score, and both allow threat actors to access resources that should otherwise be inaccessible.

"An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution," VMware explained.

TechRadar Pro needs you! We want to build a better website for our readers, and we need your help! You can do your bit by filling out our survey and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

Sensitive data at risk

The other two flaws are CVE-2022-31710 and CVE-2022-31711. The former is a deserialization vulnerability that allows threat actors to tamper with data and launch denial-of-service attacks. It’s been given a 7.5 severity score. The latter is a 5.3-scored information disclosure bug that can be leveraged to steal sensitive data.

To protect against the flaws, users are advised to apply the patch immediately, and bring their endpoints to version 8.10.2. Those that cannot apply the patch right now can also apply the workaround, for which the instructions can be found here.

The flaws were originally discovered by the Zero Day Initiative, the publication confirmed. The program’s members said that so far, there is no evidence of the flaws being abused in the wild. 

"We're not aware of any public exploit code or active attacks using this vulnerability," Dustin Childs, head of threat awareness at Trend Micro's ZDI, told The Register. "While we have no current plans to publish proof of concept for this bug, our research in VMware and other virtualization technologies continues."

vRealize Log Insight is a log management tool. Although it’s not as popular as some of VMware’s other solutions, the company’s presence in both the public and private sectors most likely makes all of its products an attractive target for cybercriminals looking for vulnerabilities.

Via: The Register

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Security
Broadcom releases fixes for multiple VMware security flaws
Representational image depecting cybersecurity protection
Ivanti reveals major security update, so make sure you're protected
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Veeam backup software has a serious security flaw - here's how to stay safe
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
vpn
Ivanti warns another critical security flaw is being attacked
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does