Get in Touch
Indiscriminate, opportunistic targeting.
VMware has disclosed a critical deserialisation vulnerability, tracked as CVE-2023-20864 (CVSS score: 9.8), which impacts multiple versions of Aria Operations for Logs, a log analysis tool responsible for managing substantial quantities of application and infrastructure logs.
Successful exploitation of CVE-2023-20864 could grant an unauthenticated threat actor with network access to VMware Aria Operations for Logs that could lead to execute arbitrary code execution.
Further, the exploitation could be exploited remotely by unauthenticated threat actors in low-complexity attacks that don’t require user interaction.
VMware has released a patch for the vulnerability. As such, previous versions are vulnerable to potential exploit.
VMware Aria Operations for Logs (formerly vRealize Log Insight)
It should be noted that only version 8.10.2 is impacted by the vulnerability.
Containment, Mitigations & Remediations
It is strongly recommended that users apply the VMware Aria Operations for Logs 8.12 update, which can be found listed in the “Fixed Version” column of the “Response Matrix” table within the VMware advisory.
Indicators of Compromise
No specific Indicators of Compromise (IoCs) are available at this time.
VMware occupies a significant proportion of the virtualisation market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, VMware products have become a prime target for threat actors. Due to the fact that virtual machines have become an integral aspect of both personal and business affairs, threat actors will continue to exploit vulnerabilities contained within the associated devices in an attempt to extract the sensitive information contained therein.
The security flaw has emerged just three months after VMware addressed two critical vulnerabilities in the same product (tracked as CVE-2022-31704 and CVE-2022-31706), exploitation of which could also result in remote code execution.
No attribution to specific threat actors or groups has been identified at the time of writing.
– TA0002 – Execution