VMware, a leading cloud computing and virtualization technology company, has addressed a critical security vulnerability in its vRealize Log Insight product, now known as VMware Aria Operations for Logs. The vulnerability, tracked as CVE-2023-20864, allowed remote attackers to gain remote execution on vulnerable appliances.
The bug was a deserialization vulnerability that allowed attackers to run arbitrary code as root on compromised systems.
A second vulnerability, tracked as CVE-2023-20865, was also addressed in the security update, which enabled remote attackers with administrative privileges to execute arbitrary commands as root.
Both vulnerabilities were addressed with the release of VMware Aria Operations for Logs 8.12, and there is no evidence that these security bugs were exploited in the wild before being patched.
However, in January, the company addressed another pair of critical vulnerabilities affecting the same product and allowing remote code execution, as well as flaws that could be exploited for information theft and denial of service attacks.
Security researchers with Horizon3’s Attack Team released proof-of-concept code to chain three of the four bugs to help attackers execute code remotely as root on compromised VMware vRealize appliances.
While only a few dozen VMware vRealize instances are exposed online, it is not uncommon for attackers to exploit vulnerabilities affecting devices in already compromised networks, making properly configured yet vulnerable VMware appliances valuable internal targets.
VMware recommends that users of version 8.10.2 immediately patch CVE-2023-20864 and advises that other versions of VMware Aria Operations for Logs are impacted by CVE-2023-20865, with a lower CVSSv3 score of 7.2.
