VMware reportedly fixes four serious vRealize vulnerabilities. Two of the reported vulnerabilities were even given a 9.8 severity score.
VMware Reportedly Fixes Four Serious vRealize Vulnerabilities
VMware, a virtualization company has now released patches for four vulnerabilities in the company’s vRealize Log Insight product, two of which have a severity rating of critical.
The critical pair in question are CVE-2022-31703 and CVE-2022-31704. The former as we go to know is a directory traversal vulnerability while the latter on the other hand is a broken access control vulnerability. Both however were given a 9.8 severity score and they both allow threat actors to get access to resources that otherwise should not be accessible.
“An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution,” VMware explained.
The Other Two Reported Flaws and Everything You Should Know About It
The other two reported flaws are CVE-2022-31710 and CVE-2022-31711. The former as you should know is a deserialization vulnerability that lets threat actors to tamper with data and then launch denial-of-service attacks. The vulnerability has been given a severity score of 7.5. The latter on the other hand has a 5.3 severity score and it is an information disclosure bug that can be used to steal sensitive data.
How Users Can Protect Against the Vulnerabilities
Users in other to protect against the flaw are urged to immediately apply the patch, and then bring their endpoints to version 8.10.2. Those users on the other hand that cannot apply the patch at the moment can apply the workaround also. And you can find the instructions here.
The flaws originally were discovered by the Zero Day Initiative, the publication confirmed. The members of the program stated that so far, there is no form of evidence of the flaws being used and abused in the wild.
Expert Analysis on the Matter
“We’re not aware of any public exploit code or active attacks using this vulnerability,” the head of threat awareness at Trend Micro ZDI, Dustin Childs told the Register. “While we have no current plans to publish proof of concept for this bug, our research in VMware and other virtualization technologies continues.”
What vRealize Log Insight Is?
vRealize Log Insight in the event that you don’t know is a log management tool. And although it is not as famous as many other solutions of VMware, the presence of the company in both the private and public sectors most likely makes its products a very attractive target for cybercriminals on the lookout for vulnerabilities.