April 24, 2023

VMware Releases Aria Operations for Logs Updates

VMware issued a security advisory regarding two vulnerabilities affecting VMware Aria Operations for Logs.

The Vulnerabilities

• CVE-2023-20864 (CVSS 3.1: 9.8, Critical) – Deserialization Vulnerability. Successful exploit of this vulnerability by an unauthenticated threat actor, may lead to arbitrary code execution as root.
• CVE-2023-20865 (CVSS 3.1: 7.2, High) – Command Injection Vulnerability.
  Successful exploit of this vulnerability by a threat actor with administrative privileges, may lead to arbitrary commands execution as root.

Affected Products

• VMware Aria Operations for Logs (Operations for Logs) – 8.6.x, 8.8.x, 8.10, 8.10.2, 8.12.
• VMware Cloud Foundation (VMware Aria Operations for Logs) – 4.x

Mitigation

CYREBRO recommends updating relevant products to the latest available releases in accordance with VMware Advisory.

References: VMware Advisory