VMware fixes vRealize log analysis tool bugs

VMware released patches to remediate four security vulnerabilities affecting vRealize Log Insight that could expose users to remote code execution attacks.

vRealize Log Insight is a log analysis and management tool that helps analyze terabytes of infrastructure and application logs in VMware environments.

Two of the flaws are critical, carrying a severity rating of 9.8 out of a maximum of 10, the virtualization services provider noted in its first security bulletin for 2023.

As reported, Tracked as CVE-2022-31706 and CVE-2022-31704, the directory traversal and broken access control issues could be exploited by a threat actor to achieve remote code execution irrespective of the difference in the attack pathway.

An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution and the third vulnerability relates to a deserialization flaw (CVE-2022-31710, CVSS score: 7.5) that could be weaponized by an unauthenticated attacker to trigger a denial-of-service (DoS) condition.

Lastly, vRealize Log Insight has also been found susceptible to an information disclosure bug (CVE-2022-31711, CVSS score: 5.3) which could permit access to sensitive session and application data without any authentication.