Patching Urged For ‘Critical’ VMware vRealize Vulnerabilities
By exploiting the vulnerabilities in VMware’s vRealize Log Insight tool, an attacker could seize control of an impacted system, the U.S. cybersecurity agency said Wednesday.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging the deployment of patches for vulnerabilities affecting a VMware log management and analytics tool, including two vulnerabilities that have received a “critical” severity rating from VMware.
The two critical vulnerabilities affecting VMware’s vRealize Log Insight tool could be leveraged to enable remote execution of code on a system by an unauthenticated user, the company said. In other words, “a remote attacker could exploit these vulnerabilities to take control of an affected system,” CISA said in its advisory Wednesday.
“CISA encourages users and administrators to review VMware Security Advisory VMSA-2023-0001 and apply the necessary updates,” the agency said.
While both VMware and CISA are referring to the affected tool as vRealize Log Insight in their advisories, presumably because that is the more-recognizable name, the tool has actually been renamed and is official now known as VMware Aria Operations for Logs, according to VMware’s website.
The two VMware vulnerabilities that could enable remote code execution are:
- A “directory traversal” vulnerability (tracked at CVE-2022-31706), through which “an unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution,” VMware said. The vulnerability has been given a “critical” severity rating with a score of 9.8 out of 10.0.
- A broken access control vulnerability (tracked at CVE-2022-31704), with which “an unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution,” VMware said. The vulnerability has also been given a “critical” severity rating with a score of 9.8 out of 10.0.
The two other vRealize Log Insight vulnerabilities disclosed this week by VMware include a deserialization vulnerability (with a severity score of 7.5, considered to be of “important” severity) and an information disclosure vulnerability (with a severity score of 5.3, considered to be of “moderate” severity).
When it comes to the ongoing issue of needing to address vulnerabilities in software, the key for organizations is to get a handle on what the actual business impact will be from any given vulnerability — and then prioritize accordingly, according to Brad Davenport, vice president of technical architecture for cybersecurity, networking and collaboration at Logicalis US, No. 66 on the 2022 CRN Solution Provider 500.
“With so many different solutions in your infrastructure, with so many different software suites, you can’t possibly be expected to be 100 percent patched all of the time,” Davenport told CRN. “It’s a constant prioritization game to determine what ultimately is the business impact, and then to really prioritize those things.”
Being able to prioritize in that way, however, is an area that many businesses struggle with. Many businesses “have not yet reached that level of maturity, where they understand what the actual business impact of vulnerabilities are,” he said.
That’s prompted many organizations to seek out advisory services for these types of scenarios from providers that offer them such as Logicalis US, Davenport said.
“What we’ve tried to do is push that conversation further outside of the IT decision makers, and talk more generally with the business leaders and business owner about risks” from issues such as software vulnerabilities, he said.