VMWare published an advisory on 24th Jan 2023 in which it disclosed four new vulnerabilities in VMWare vRealize Log Insight. Out of the four vulnerabilities, two are rated Critical, and two are rated Moderate in severity. All five vulnerabilities are assigned CVSS scores from 9.8 to 5.3. Attackers could abuse these vulnerabilities to carry out remote code execution, denial of service, and sensitive information exfiltration attacks on vulnerable versions of VMWare vRealize Log Insight. It is highly recommended that organizations who use the VMWare vRealize Log Insight should fix the four new vulnerabilities in VMWare vRealize Log Insight.
Let’s begin this post with a short introduction about the VMware vRealize Log Insight platform, then will see the summary of the four Vulnerabilities in VMware vRealize Log Insight, then see the versions vulnerable to the platform, and finally, how to fix the four new vulnerabilities in VMWare vRealize Log Insight.
A Short Note About VMWare vRealize Log Insight:
VMware vRealize Log Insight is a cloud-based log management and analytics platform that enables users to collect, analyze, and monitor logs from multiple sources. Such log management platforms allow infrastructure administrators and security teams to have greater visibility and insights into the performance and security of their infrastructure. Additionally, the VMware vRealize Log Insight platform provides automated alerting and real-time analytics capabilities, enabling users to detect issues and address them quickly. The application also offers built-in integrations with various third-party applications and services, allowing for even greater customization and flexibility.
Key features of VMWare vRealize Log Insight:
- Automated log collection and ingestion: VMware vRealize Log Insight can collect and ingest logs from multiple sources like servers, applications, and network devices, including on-premise and cloud-based sources.
- Real-time analytics: The platform offers real-time analytics capabilities, allowing users to quickly detect and address issues as they arise.
- Alerting and notifications: vRealize Log Insight can issue alerts and notifications for admin and security teams, keeping them informed about any incidents or changes in the environment.
- Third-party integrations: The platform integrates with various third-party applications and services, allowing for even greater customization and flexibility.
Overall, VMWare vRealize Log Insight is a powerful log management platform for IT administrators and Security Teams who need to monitor their infrastructure efficiently and securely. With its intuitive dashboards, sophisticated analytics, broad third-party integrations, automated alerting capabilities, and comprehensive search capabilities, it provides an effective way to gain operational visibility into physical, virtual, and cloud environments.
Summary of the 4 New Vulnerabilities in VMware vRealize Log Insight:
As per the advisory released by VMware, there are four vulnerabilities identified in the VMWarevRealize Log Insight platform. Out of four, two are marked as critical in severity with a CVSS score of 9.8 on the scale, and the remaining two flaws are marked as medium with the CVSS score of 7.5 & 5.3 out of 10.
| CVE ID | Description | CVSS Score | CVSS Vector |
| CVE-2022-31706 | A Directory Traversal Vulnerability in VMware vRealize Log Insight | 9.8 critical | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-31704 | A Broken Access Control Vulnerability in VMware vRealize Log Insight | 9.8 critical | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-31710 | A DeserializationVulnerability in VMware vRealize Log Insight | 7.5 Medium | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CVE-2022-31711 | An Information DisclosureVulnerability in VMware vRealize Log Insight | 5.3 Medium | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CVE-2022-31706
This is a Directory Traversal vulnerability in VMware vRealize Log Insight. The successful exploitation of this flaw would allow an unauthenticated attacker to perform remote code execution attacks on the vulnerable versions of the VMware vRealize Log Insight platform. Attackers could exploit this flaw just by uploading a malicious file onto the operating system of a vulnerable appliance.
CVE-2022-31704
This is a Broken Access Control vulnerability in VMware vRealize Log Insight. The successful exploitation of this flaw would allow an unauthenticated attacker to perform remote code execution attacks on the vulnerable versions of the VMware vRealize Log Insight platform. Attackers could exploit this flaw just by uploading a malicious file onto the operating system of a vulnerable appliance.
CVE-2022-31710
This is a Deserialization vulnerability in VMware vRealize Log Insight. The successful exploitation of this flaw would allow an unauthenticated attacker to perform denial of service attacks on the vulnerable versions of the VMware vRealize Log Insight platform. Attackers could exploit this flaw just by triggering the deserialization of untrusted data.
CVE-2022-31711
This is an Information Disclosure vulnerability in VMware vRealize Log Insight. The successful exploitation of this flaw would allow an unauthenticated, remote attacker to collect sensitive session and application information from the vulnerable versions of the VMware vRealize Log Insight platform.
VMware vRealize Log Insight Versions Affected.
According to the Zero Day Initiative (ZDI) program, run by TrendMicro, a well-known security firm, all the versions up to v8.10 are affected by these four vulnerabilities.
- All versions equal or less than 8.10.
How to Fix the 4 New Vulnerabilities in VMware vRealize Log Insight?
VMWare has released a patched version of the vRealize Log Insight platform to address these vulnerabilities. We recommend upgrading all the versions equal to or less than 8.10 to 8.10.2 or higher to patch the vulnerabilities. Please download the VMware vRealize Log Insight v8.10.2 for your operating system from here: https://customerconnect.vmware.com/downloads/details?downloadGroup=VRLI-8102&productId=1351
Upgradation guidelines are made available with the release notes. Please don’t forget to refer to the release notes and upgrade path for more details.
You can upgrade vRealize Log Insight to version 8.10 from 8.8.x and to 8.8 from 8.6.x. You can upgrade to version 8.4 from 8.3 or 8.2, and to 8.1 from 4.8 or 8.0. To upgrade to the rest of the versions, you must follow an incremental upgrade path. The upgrade includes automatically upgrading the nodes in a cluster.
– VMware
How to Upgrade vRealize Log Insight to the Latest Version?
VMware has published a comprehensive document about upgrading the VMware vRealize Log Insight platform to the latest version. Please check out their document for complete details.
How to Apply Workaround?
VMware has released a workaround to apply for those who can’t apply the patch any time soon. VMware made workaround scripts available for download. Please download the KB90635_1.zip file from here. This zip file has two files in it: KB90635.sh and KB90635_validate.sh. The KB90635.sh is the script to run to apply the workaround. TheKB90635_validate.sh is the script to run to validate that the workaround is applied.
| Name: | KB90635_1.zip |
|---|---|
| Release Date: | 2023-01-26 |
| Download Link: | https://customerconnect.vmware.com/en/downloads/details?downloadGroup=VRLI-8102&productId=1034&rPId=100036 |
| MD5SUM: | 41fc5f13319a28431965247ec6ae322b |
| SHA1SUM: | 6589e02cd5fe0457835a570edbf1ad1cf53d18a7 |
| SHA256SUM: | be8af166e7208cf4b9eb8c63d65d626382f9171a6125c11a9e4c64e4caa6b575 |
Time needed: 10 minutes.
How to Apply Workaround?
- Upload the workaround scripts to the appliances
Log into the appliances as root via SSH. Upload the “KB90635.sh” script into the “/opt/vmware/bin/”.
- Set the file permission to executable
Use chmod command utility to set the file permission to executable. Run these commands to do that:
chmod +x /opt/vmware/bin/KB90635.sh
chmod 755 /opt/vmware/bin/KB90635.sh
- Apply the workaround
Run the script with “setup” command to apply the workaround.
/opt/vmware/bin/KB90635.sh setup
- Validate the workaround
Upload the “KB90635_validate.sh” script into the “/opt/vmware/bin/”.
Run these commands to set execution permission.
chmod +x /opt/vmware/bin/KB90635_validate.sh
chmod 755 /opt/vmware/bin/KB90635_validate.sh
Execute the validation steps by running the command:
/opt/vmware/bin/KB90635_validate.sh
Note: Please ensure that all the VRLI nodes in the cluster are listed in the output.
The script will go several iterations to complete the validation process. Ensure there are no errors appear during the execution process. Upon successful execution, a message similar to the below will be displayed on your screen. This completes the successful validation.
- Repeat this process on every node in the cluster and restart the service
Repeat this process on every node in the cluster. Once all is done, restart the service by passing “stop” and “start” arguments.
/opt/vmware/bin/KB90635.sh stop
/opt/vmware/bin/KB90635.sh start
We hope this post helped you know how to fix the 4 new vulnerabilities in VMWare vRealize Log Insight. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
