• VMware vRealize Operations

Multiple vulnerabilities in vRealize Operations were privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products. 

VMware vRealize Operations contains a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2.

A malicious actor with administrative network access can escalate privileges to root.

To remediate CVE-2022-31672, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

None.

None.

None.

VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting this issue to us.

A low-privileged malicious actor with network access can create and leak hex dumps, leading to information disclosure. Successful exploitation can lead to a remote code execution.

To remediate CVE-2022-31673, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

None.

None.

None.

VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting this issue to us.

A low-privileged malicious actor with network access can access log files that lead to information disclosure.

To remediate CVE-2022-31674, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

None.

None.

None.

VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting this issue to us.

An unauthenticated malicious actor with network access may be able to create a user with administrative privileges. 

To remediate CVE-2022-31675, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

None.

None.

None.

VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting this issue to us.

VMware vRealize Operations 8.6.4:

Release Notes: https://docs.vmware.com/en/vRealize-Operations/8.6.4/rn/vrealize-operations-864-release-notes/index.html

Downloads: https://customerconnect.vmware.com/en/downloads/info/slug/infrastructure_operations_management/vmware_vrealize_operations/8_6

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31672

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31673

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31674

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31675

FIRST CVSSv3 Calculator:

CVE-2022-31672: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2022-31673: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE-2022-31674: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE-2022-31675: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

2022-08-09: VMSA-2022-0022
Initial security advisory.

E-mail list for product security notifications and announcements:

https://lists.vmware.com/mailman/listinfo/security-announce 

This Security Advisory is posted to the following lists:  

[email protected]  

[email protected]  

[email protected] 

E-mail: [email protected]

PGP key at:

https://kb.vmware.com/kb/1055 

VMware Security Advisories

https://www.vmware.com/security/advisories 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

Twitter

https://twitter.com/VMwareSRC

Copyright 2022 VMware Inc. All rights reserved.