Critical Remote Code Execution Vulnerability in VMware Aria Operations for Logs: CVE-2023-20864

Share :

On Thursday, April 20, 2023, VMware disclosed a critical deserialization vulnerability (CVE-2023-20864) in VMware Aria Operations for Logs—formerly known as vRealize Log Insight—that could result in unauthenticated remote code execution (RCE) as root.  

The vulnerability was responsibly disclosed to VMware through the Zero Day Initiative and has not been actively exploited in campaigns. Furthermore, we have not identified a public proof of concept (PoC) exploit for CVE-2023-20864. However, according to CISA’s Known Exploited Vulnerabilities Catalog, threat actors have leveraged vulnerabilities in VMware vRealize products historically.  

In addition to CVE-2023-20864, VMware disclosed one other vulnerability that impacts the same VMware Aria Operations for Logs version, in addition to others.  

  • CVE-2023-20865 (CVSS 7.2): Command Injection Vulnerability 

CVE-2023-20864 

Product  Version  Fixed Version 
VMware Aria Operations for Logs  8.10.2  8.12 
VMware Cloud Foundation*  4.x  KB91865 

 

CVE-2023-20865 

Product  Versions  Fixed Version 
VMware Aria Operations for Logs  8.10.2, 8.10, 8.8.x, and 8.6.x  8.12 
VMware Cloud Foundation*  4.x  KB91865 

*VMware Aria Operations for Logs is included in VMware Cloud Foundation. 

Recommendation for CVE-2023-20864

Upgrade VMware Aria Operations for Logs to 8.12 

Arctic Wolf strongly recommends upgrading VMware Aria Operations for Logs to 8.12 to prevent potential exploitation. The upgrade package can be found in VMware’s Customer Connect portal here: https://customerconnect.vmware.com/en/downloads/info/slug/infrastructure_operations_management/vmware_aria_operations_for_logs/8_12#product_downloads 

VMware Aria Operations for Logs is included in the VMware Cloud Foundation (VCF) product. Customers will need to upgrade via the VMware Aria Suite Lifecycle Manager. 

Note: For customers that are running older versions of VMware Cloud Foundation (versions prior to VCF 4.5), VMware recommends upgrading to VCF 4.5 or higher. 

Please follow your organization’s patching and testing guidelines to avoid operational impact. 

References 

Steven Campbell

Steven Campbell

Steven Campbell is a Senior Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research. He has a strong background in infrastructure analysis and adversary tradecraft.
Share :
Table of Contents
Categories
Subscribe to our Monthly Newsletter