Virtualization big VMware has released patches for 4 vulnerabilities in its vRealize Log Perception product, two of which have a “critical” severity ranking.
The critical pair are CVE-2022-31703 and CVE-2022-31704. The previous is a listing traversal vulnerability, when the latter is a damaged obtain handle vulnerability. Both equally have been specified a 9.8 severity rating, and both equally permit danger actors to accessibility resources that should really usually be inaccessible.
“An unauthenticated, malicious actor can inject documents into the operating program of an impacted equipment which can consequence in distant code execution,” VMware defined.
Delicate data at danger
The other two flaws are CVE-2022-31710 and CVE-2022-31711. The previous is a deserialization vulnerability that makes it possible for threat actors to tamper with facts and start denial-of-support attacks. It is been presented a 7.5 severity score. The latter is a 5.3-scored info disclosure bug that can be leveraged to steal sensitive knowledge.
To safeguard against the flaws, end users are suggested to implement the patch instantly, and bring their endpoints (opens in new tab) to edition 8.10.2. These that are not able to utilize the patch right now can also use the workaround, for which the directions can be identified below (opens in new tab).
The flaws were originally identified by the Zero Day Initiative, the publication verified. The program’s users stated that so considerably, there is no proof of the flaws being abused in the wild.
“We are not knowledgeable of any public exploit code or active assaults making use of this vulnerability,” Dustin Childs, head of danger awareness at Development Micro’s ZDI, explained to The Register. “Even though we have no current ideas to publish evidence of thought for this bug, our investigation in VMware and other virtualization technologies proceeds.”
vRealize Log Insight is a log management tool. Despite the fact that it’s not as well-known as some of VMware’s other answers, the company’s presence in the two the community and non-public sectors most probable helps make all of its merchandise an eye-catching goal for cybercriminals wanting for vulnerabilities.
By means of: The Sign up (opens in new tab)