cbcvebase.
CVE-2022-31704
published 2023-01-26

CVE-2022-31704: The vRealize Log Insight contains a broken access control vulnerability. An unauthenticated malicious actor can remotely inject code into sensitive files of an…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
81.01%
99.6th percentile
The vRealize Log Insight contains a broken access control vulnerability. An unauthenticated malicious actor can remotely inject code into sensitive files of an impacted appliance which can result in remote code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
vmwarevrealize_log_insight3.0 – 4.8
vmwarevrealize_log_insight>= 8.0.0 < 8.10.28.10.2

Detection & IOCsextracted from sources · hover to see the quote

url/i18n/component/JS?locale=en-US
url/api/v1/version
otherRemotePakDownloadCommand
otherGetConfigRequest
otherPakUpgradeCommand
othershodan: http.title:"vrealize log insight"
  • Detect exploitation attempts by monitoring for unauthenticated GET requests to /i18n/component/JS?locale=en-US or /api/v1/version returning HTTP 200 with body containing 'logInsight' or 'releaseName":' — used by scanners to fingerprint vulnerable versions.
  • Flag vulnerable vRealize Log Insight instances by extracting the version field from API responses and checking if it falls within >= 3.0 or = 8.0.0 or < 8.10.2.
  • Monitor for abuse of Thrift RPC endpoints (RemotePakDownloadCommand, GetConfigRequest, PakUpgradeCommand) on the vRealize Log Insight appliance, which are leveraged to achieve arbitrary file write and RCE.
  • Monitor for unexpected cron job creation on vRealize Log Insight appliances, as the default exploit payload writes a cron job to establish a reverse shell.
  • Detect IP address spoofing attempts targeting vRealize Log Insight master/worker node IPs, as the exploit requires the attacker to present the same IP as a master/worker node.
  • Alert on specially crafted PAK archive uploads to vRealize Log Insight, which are used to drop a JSP webshell payload under a pre-authenticated API endpoint location.
  • ·Exploitation requires the attacker to have network access to the vRealize Log Insight appliance; the product is unlikely to be internet-exposed, meaning attackers likely already have an internal foothold.
  • ·CVE-2022-31704 is part of a chain (VMSA-2023-0001) with CVE-2022-31706 (directory traversal) and CVE-2022-31711 (information disclosure); all three must be considered together for full RCE impact assessment.
  • ·CVE-2023-34051 is a bypass for the original VMSA-2023-0001 exploit chain; patching CVE-2022-31704 alone may not be sufficient if CVE-2023-34051 is unaddressed.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.