CVE-2022-31711
published 2023-01-26CVE-2022-31711: VMware vRealize Log Insight contains an Information Disclosure Vulnerability. A malicious actor can remotely collect sensitive session and application…
PriorityP276medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
21.66%
97.3th percentile
VMware vRealize Log Insight contains an Information Disclosure Vulnerability. A malicious actor can remotely collect sensitive session and application information without authentication.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vmware | vrealize_log_insight | 3.0 – 4.8 | — |
| vmware | vrealize_log_insight | >= 8.0.0 < 8.10.2 | 8.10.2 |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
VMware vRealize Log Insight Information Disclosure (CVE-2022-31711)
- →Detect unauthenticated calls to the Thrift RPC service on vRealize Log Insight, specifically GetConfigRequest (node token harvesting) followed by RemotePakDownloadCommand and PakUpgradeCommand sequences. ↗
- →Look for newly created JSP files under pre-authenticated API endpoint locations on vRealize Log Insight, which would indicate successful PAK archive extraction as part of RCE exploitation. ↗
- →CVE-2022-31711 is chained with CVE-2022-31706 (directory traversal) and CVE-2022-31704 (broken access control); detect any of these in combination as they form the VMSA-2023-0001 exploit chain enabling unauthenticated RCE. ↗
- →Monitor for cron job creation on vRealize Log Insight appliances, as the default PoC payload writes a cron job to establish a reverse shell. ↗
- ·Exploitation requires the attacker to already have a foothold on the network, as vRealize Log Insight is unlikely to be internet-exposed; this CVE is most relevant as a lateral movement enabler. ↗
- ·The Metasploit module targets vRealize Log Insight v8.x specifically; version fingerprinting via the 'version' field in the HTTP response body can confirm exposure. ↗
- ·CVE-2023-34051 is a bypass for the original VMSA-2023-0001 exploit chain (which includes CVE-2022-31711); patching VMSA-2023-0001 alone is insufficient if CVE-2023-34051 is unpatched. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck5.3MEDIUM
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kernel: scsi: lpfc: Fix call trace observed during I/O with CMF enabled
vendor_redhat·2025-02-26·CVSS 5.5
CVE-2022-49537 [MEDIUM] CWE-362 kernel: scsi: lpfc: Fix call trace observed during I/O with CMF enabled
kernel: scsi: lpfc: Fix call trace observed during I/O with CMF enabled
In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Fix call trace observed during I/O with CMF enabled
The following was seen with CMF enabled:
BUG: using smp_processor_id() in preemptible
code: systemd-udevd/31711
kernel: caller is lpfc_update_cmf_cmd+0x214/0x420 [lpfc]
kernel: CPU: 12 PID: 31711 Comm: systemd-udevd
kernel: Call Trace:
kernel:
kernel: dump_stack_lvl+0x44/0x57
kernel: check_preemption_disabled+0xbf/0xe0
kernel: lpfc_update_cmf_cmd+0x214/0x420 [lpfc]
kernel: lpfc_nvme_fcp_io_submit+0x23b4/0x4df0 [lpfc]
this_cpu_ptr() calls smp_processor_id() in a preemptible context.
Fix by using per_cpu_ptr() with raw_smp_processor_id() instead.
A vulnerability has been identified in the
VMware
VMware vRealize Log Insight latest updates address multiple security vulnerabilities (CVE-2022-31706, CVE-2022-31704, CVE-2022-31710, CVE-2022-31711)
vendor_vmware·2023-01-24·CVSS 9.8
CVE-2022-31704 [CRITICAL] VMware vRealize Log Insight latest updates address multiple security vulnerabilities (CVE-2022-31706, CVE-2022-31704, CVE-2022-31710, CVE-2022-31711)
VMSA-2023-0001: VMware vRealize Log Insight latest updates address multiple security vulnerabilities (CVE-2022-31706, CVE-2022-31704, CVE-2022-31710, CVE-2022-31711)
The vRealize Log Insight contains a Directory Traversal Vulnerability. VMware has evaluated the severity of this issue to be in the critical severity range with a maximum CVSSv3 base score of 9.8.
CVEs: CVE-2022-31704, CVE-2022-31706, CVE-2022-31710, CVE-2022-31711
Affected products: VMware Aria, VMware Cloud Foundation, VMware vRealize
GHSA
GHSA-jpmc-cx3p-xjqg: VMware vRealize Log Insight contains an Information Disclosure Vulnerability
ghsa_unreviewed·2023-01-26
CVE-2022-31711 [MEDIUM] CWE-200 GHSA-jpmc-cx3p-xjqg: VMware vRealize Log Insight contains an Information Disclosure Vulnerability
VMware vRealize Log Insight contains an Information Disclosure Vulnerability. A malicious actor can remotely collect sensitive session and application information without authentication.
VulnCheck
VMware vRealize Log Insight Information Disclosure
vulncheck·2022·CVSS 5.3
CVE-2022-31711 [MEDIUM] VMware vRealize Log Insight Information Disclosure
VMware vRealize Log Insight Information Disclosure
VMware vRealize Log Insight contains an Information Disclosure Vulnerability. A malicious actor can remotely collect sensitive session and application information without authentication.
Affected: VMware vrealize_log_insight
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://25491742.fs1.hubspotusercontent-eu1.net/hubfs/25491742/WAZAWAKA_TLPCLEAR_Report.pdf
Exploit PoC: https://vulncheck.com/xdb/bc1dbcfee34d
No detection rules found.
Nuclei
VMware vRealize Log Insight < v8.10.2 - Information Disclosure
nuclei·CVSS 5.3
CVE-2022-31711 [MEDIUM] VMware vRealize Log Insight < v8.10.2 - Information Disclosure
VMware vRealize Log Insight = 8.0.0', '= 3.0', '< 4.8')"
condition: or
extractors:
- type: regex
part: body
name: version
group: 1
regex:
- 'version"\s*:\s*"([0-9.]+)'
# digest: 4a0a00473045022100bbef3db3e9783a9361bdb502d70aec7695bf0e86a2ef7b724b80076fc8879b730220106839083a00a67590c75d5ea5597bedb25cbdf30c291a997ad4ef0420d49c3f:922c64590222798bb761d5b6d8e72950
Metasploit
VMware vRealize Log Insight Unauthenticated RCE
metasploit
VMware vRealize Log Insight Unauthenticated RCE
VMware vRealize Log Insight Unauthenticated RCE
VMware vRealize Log Insights versions v8.x contains multiple vulnerabilities, such as directory traversal, broken access control, deserialization, and information disclosure. When chained together, these vulnerabilities allow a remote, unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. This module achieves code execution via triggering a `RemotePakDownloadCommand` command via the exposed thrift service after obtaining the node token by calling a `GetConfigRequest` thrift command. After the download, it will trigger a `PakUpgradeCommand` for processing the specially crafted PAK archive, which then will place the JSP payload under a certain API endpoint (pre-authenticated) location upon
Bleepingcomputer
VMware warns admins of public exploit for vRealize RCE flaw
blogs_bleepingcomputer·2023-10-24·CVSS 9.8
CVE-2023-34051 [CRITICAL] VMware warns admins of public exploit for vRealize RCE flaw
## VMware warns admins of public exploit for vRealize RCE flaw
## Sergiu Gatlan
VMware warned customers on Monday that proof-of-concept (PoC) exploit code is now available for an authentication bypass flaw in vRealize Log Insight (now known as VMware Aria Operations for Logs).
"Updated VMSA to note that VMware has confirmed that exploit code for CVE-2023-34051 has been published," the company said in an update to the original advisory.
Tracked as CVE-2023-34051 , it allows unauthenticated attackers to execute code remotely with root permissions if certain conditions are met.
Successful exploitation hinges on the attacker compromising a host within the targeted environment and possessing permissions to add an extra interface or static IP address, according to Horizon3 security research
Checkpoint
6th February – Threat Intelligence Report
blogs_checkpoint·2023-02-06
CVE-2022-31711 6th February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 6th February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 6th February, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHE
Check Point Research has flagged the Dingo crypto Token, with a market cap of $10,941,525 as a scam. The threat actors behind the token added a backdoor function in its smart contract, to manipulate the fee. Specifically, they used the “setTaxFeePercent” function within the token’s smart contract code to manipulate the buyin
Bugzilla
CVE-2022-49537 kernel: scsi: lpfc: Fix call trace observed during I/O with CMF enabled
bugzilla·2025-02-26·CVSS 5.5
CVE-2022-49537 [MEDIUM] CVE-2022-49537 kernel: scsi: lpfc: Fix call trace observed during I/O with CMF enabled
CVE-2022-49537 kernel: scsi: lpfc: Fix call trace observed during I/O with CMF enabled
In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Fix call trace observed during I/O with CMF enabled
The following was seen with CMF enabled:
BUG: using smp_processor_id() in preemptible
code: systemd-udevd/31711
kernel: caller is lpfc_update_cmf_cmd+0x214/0x420 [lpfc]
kernel: CPU: 12 PID: 31711 Comm: systemd-udevd
kernel: Call Trace:
kernel:
kernel: dump_stack_lvl+0x44/0x57
kernel: check_preemption_disabled+0xbf/0xe0
kernel: lpfc_update_cmf_cmd+0x214/0x420 [lpfc]
kernel: lpfc_nvme_fcp_io_submit+0x23b4/0x4df0 [lpfc]
this_cpu_ptr() calls smp_processor_id() in a preemptible context.
Fix by using per_cpu_ptr() with raw_smp_processor_id() instead.
Discussion:
Upstream a
http://packetstormsecurity.com/files/174606/VMware-vRealize-Log-Insight-Unauthenticated-Remote-Code-Execution.htmlhttps://www.vmware.com/security/advisories/VMSA-2023-0001.htmlhttp://packetstormsecurity.com/files/174606/VMware-vRealize-Log-Insight-Unauthenticated-Remote-Code-Execution.htmlhttps://www.vmware.com/security/advisories/VMSA-2023-0001.html
2023-01-26
Published
Exploited in the wild