On Tuesday, January 24th, 2023, VMware disclosed two critical vulnerabilities in VMware vRealize Log Insight that could result in remote code execution (RCE).
- CVE-2022-31706 (CVSS 9.8): Directory Traversal Vulnerability
- CVE-2022-31704 (CVSS 9.8): Broken Access Control Vulnerability
Although different vulnerability types, both vulnerabilities could allow an unauthenticated threat actor to inject files into the operating system of the vulnerable product which could result in RCE.
Both vulnerabilities were responsibly disclosed to VMware and have not been actively exploited in campaigns. However, according to CISA’s Known Exploited Vulnerabilities Catalog, threat actors have leveraged vulnerabilities in VMware vRealize products historically.
As of January 25th, 2023, we have not identified a public proof of concept (PoC) exploit for either vulnerability.
Vulnerable Products
Product | Version | Fixed Version | Workaround |
VMware vRealize Log Insight | 8.x | 8.10.2 | KB90635 |
VMware Cloud Foundation (VCF) | 4.x and 3.x | KB90668 | KB90635 |
Note: Starting with VMware Cloud Foundation version 4.4.1, the Software-Defined Data Center (SDDC) Manager does not manage upgrades of VMware vRealize Log Insight.
In addition to the two critical vulnerabilities, VMware disclosed two other vulnerabilities that impact the same VMware vRealize Log Insight versions.
- CVE-2022-31710 (CVSS 7.5): Deserialization Vulnerability
- CVE-2022-31711 (CVSS 5.3): Information Disclosure Vulnerability
Recommendation
Upgrade VMware vRealize Log Insight to 8.10.2
Arctic Wolf strongly recommends upgrading VMware vRealize Log Insight to 8.10.2 to prevent potential exploitation. The upgrade package and virtual appliance can be found in VMware’s Customer Connect portal here: https://customerconnect.vmware.com/downloads/details?downloadGroup=VRLI-8102&productId=1351
VMware vRealize Log Insight is included in the VMware Cloud Foundation product. VMware Customers will need to upgrade VMware vRealize Log Insight via the SDDC Manager or the vRealize Suite Lifecycle Manager.
Note: For organizations that are running older versions of VMware Cloud Foundation (versions prior to VCF 4.4.1), VMware recommends upgrading to VCF 4.4.1 or higher.
Please follow your organizations patching and testing guidelines to avoid operational impact.
Apply Available Workarounds if not Immediately Able to Upgrade
If your organization cannot upgrade to the latest VMware vRealize Log Insight version, leverage VMware’s provided script for each vRealize Log Insight node in the cluster and validate that the workaround was applied correctly. The script, along with instructions can be found in VMware’s Customer Connect portal.