VMware has fixed two vulnerabilities (CVE-2023-20864, CVE-2023-20865) in VMware Aria Operations for Logs (formerly vRealize Log Insight), a widely used cloud solution for log analysis and management.
About the vulnerabilities (CVE-2023-20864, CVE-2023-20865)
CVE-2023-20864, a deserialization vulnerability, could be exploited by an unauthorized, malicious actor who has network access to VMware Aria Operations for Logs. This can result in the execution of arbitrary code as root.
CVE-2023-20865 is a command injection vulnerability that allows a bad actor with administrative privileges in VMware Aria Operations for Logs to execute arbitrary commands as root.
The vulnerabilities have been reported privately and VMware did not share additional technical details that could point to their origin.
The good news is that there is currently no evidence to suggest that they have been exploited in the wild.
“Because of the nature of the VMware Aria Operations for Logs product not being a public facing asset, we do not anticipate seeing widespread exploitation of this flaw,” noted Satnam Narang, staff research engineer at Tenable.
“However, an attacker that gains a foothold into a network running a vulnerable version of VMware Aria Operations for Logs could utilize a flaw like this one as part of their post-compromise activity.”
In early 2023, VMware has similarly patched critical flaws in the same solution and a PoC exploit was publicly released soon after, but there have been no reports about attackers leveraging them since then.
The vulnerabilities affect:
- VMware Aria Operations for Logs (v8.6.x, 8.8.x, 8.10 and 8.10.2)
- VMware Cloud Foundation (v4.x)
To plug these security holes, admins should update their VMware Aria Operations for Logs installations to version 8.12.
The upgrading process for VMware Cloud Foundation is a bit more complex, and is delineated here.
No workarounds are available, so upgrading is recommended.
UPDATE (July 11, 2023, 06:40 a.m. ET):
“VMware has confirmed that exploit code for CVE-2023-20864 has been published,” the company noted in an update of the security advisory.