BleepingComputer reports that VMware has issued a fix for two security flaws in its vRealize Log Insight, which has been renamed to VMware Aria Operations for Logs.
Threat actors could exploit the critical deserialization vulnerability, tracked as CVE-2023-20864, to facilitate arbitrary code execution, while the other flaw, tracked as CVE-2023-20865, could be leveraged to allow arbitrary command execution as root for attackers with administrative privileges. There has been no evidence indicating active exploitation for both bugs.
"CVE-2023-20864 is a critical issue and should be patched immediately as per the instructions in the advisory. It needs to be highlighted that only version 8.10.2 is impacted by this vulnerability (CVE-2023-20864). Other versions VMware Aria Operations for Logs (formerly vRealize Log Insight) are impacted by CVE-2023-20865 but this has a lower CVSSv3 score of 7.2," said VMware.
The update comes after two other critical flaws in vRealize were addressed by VMware in January.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news