VMware on Tuesday launched software program to remediate 4 safety vulnerabilities affecting vRealize Log Perception (aka Aria Operations for Logs) that would expose customers to distant code execution assaults.
Two of the issues are vital, carrying a severity ranking of 9.8 out of a most of 10, the virtualization companies supplier famous in its first safety bulletin for 2023.
Tracked as CVE-2022-31706 and CVE-2022-31704, the listing traversal and damaged entry management points might be exploited by a menace actor to realize distant code execution no matter the distinction within the assault pathway.
“An unauthenticated, malicious actor can inject recordsdata into the working system of an impacted equipment which can lead to distant code execution,” the corporate stated of the 2 shortcomings.
A 3rd vulnerability pertains to a deserialization flaw (CVE-2022-31710, CVSS rating: 7.5) that might be weaponized by an unauthenticated attacker to set off a denial-of-service (DoS) situation.
Lastly, vRealize Log Perception has additionally been discovered vulnerable to an data disclosure bug (CVE-2022-31711, CVSS rating: 5.3) which might allow entry to delicate session and software knowledge with none authentication.
The Zero Day Initiative (ZDI) has been credited for reporting all the issues. Moreover releasing model 8.10.2 to deal with the problems, VMware has additionally offered workarounds to mitigate them till the patches could be utilized.
Whereas there isn’t a indication that the aforementioned vulnerabilities have been exploited within the wild, it is not unusual for menace actors to goal VMware home equipment of their assaults, making it important that the fixes are utilized as quickly as attainable.