Critical Remote Code Execution Vulnerability in VMware Aria Operations for Logs: CVE-2023-20864

On Thursday, 20 April 2023, VMware disclosed a critical deserialisation vulnerability (CVE-2023-20864) in VMware Aria Operations for Logs—formerly known as vRealize Log Insight—that could result in unauthenticated remote code execution (RCE) as root.  

The vulnerability was responsibly disclosed to VMware through the Zero Day Initiative and has not been actively exploited in campaigns. Furthermore, we have not identified a public proof of concept (PoC) exploit for CVE-2023-20864. However, according to CISA’s Known Exploited Vulnerabilities Catalog, threat actors have leveraged vulnerabilities in VMware vRealize products historically.  

In addition to CVE-2023-20864, VMware disclosed one other vulnerability that impacts the same VMware Aria Operations for Logs version, in addition to others.  

• CVE-2023-20865 (CVSS 7.2): Command Injection Vulnerability 

CVE-2023-20864 

CVE-2023-20865 

*VMware Aria Operations for Logs is included in VMware Cloud Foundation. 

Recommendation for CVE-2023-20864

Upgrade VMware Aria Operations for Logs to 8.12 

Arctic Wolf strongly recommends upgrading VMware Aria Operations for Logs to 8.12 to prevent potential exploitation. The upgrade package can be found in VMware’s Customer Connect portal here: https://customerconnect.vmware.com/en/downloads/info/slug/infrastructure_operations_management/vmware_aria_operations_for_logs/8_12#product_downloads 

VMware Aria Operations for Logs is included in the VMware Cloud Foundation (VCF) product. Customers will need to upgrade via the VMware Aria Suite Lifecycle Manager. 

Note: For customers that are running older versions of VMware Cloud Foundation (versions prior to VCF 4.5), VMware recommends upgrading to VCF 4.5 or higher. 

Please follow your organisation’s patching and testing guidelines to avoid operational impact. 

References 

• VMware Security Advisory 
• VMware vRealize Log Insight 8.10.2 Upgrade