VMSA-2025-0003: VMware Aria Operations for Logs and VMware Aria Operations updates address multiple vulnerabilities (CVE-2025-22218, CVE-2025-22219, CVE-2025-22220, CVE-2025-22221 and CVE-2025-22222)
| Advisory ID: |
VMSA-2025-0003 |
| Advisory Severity: | Important |
| CVSSv3 Range: | 5.2-8.5 |
| Synopsis: | VMware Aria Operations for Logs and VMware Aria Operations updates address multiple vulnerabilities (CVE-2025-22218, CVE-2025-22219, CVE-2025-22220, CVE-2025-22221, CVE-2025-22222) |
| Issue date: | 2025-01-30 |
| Updated on: | 2025-01-30 |
| CVE(s) | CVE-2025-22218, CVE-2025-22219, CVE-2025-22220, CVE-2025-22221, CVE-2025-22222 |
1. Impacted Products
- VMware Aria Operations for logs
- VMware Aria Operations
- VMware Cloud Foundation
2. Introduction
Multiple vulnerabilities in VMware Aria Operations for logs and VMware Aria Operations were privately reported to VMware. Patches are available to remediate these vulnerabilities in the affected VMware products.
3a. VMware Aria Operations for Logs information disclosure vulnerability (CVE-2025-22218)
Description:
VMware Aria Operations for Logs contains an information disclosure vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.5.
Known Attack Vectors:
A malicious actor with View Only Admin permissions may be able to read the credentials of a VMware product integrated with VMware Aria Operations for Logs.
Resolution:
To remediate CVE-2025-22218, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds:
None.
Additional Documentation:
None.
Acknowledgements:
VMware would like to thank Maxime Escourbiac, Michelin CERT, Yassine Bengana, Abicom from Michelin CERT and Quentin Ebel, Abicom from Michelin CERT for reporting this issue to us.
Notes:
None.
3b. VMware Aria Operations for Logs stored cross-site scripting vulnerability (CVE-2025-22219)
Description:
VMware Aria Operations for Logs contains a stored cross-site scripting vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 6.8.
Known Attack Vectors:
A malicious actor with non-administrative privileges may be able to inject a malicious script that (can perform stored cross-site scripting) may lead to arbitrary operations as admin user.
Resolution:
To remediate CVE-2025-22219, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds:
None.
Additional Documentation:
None.
Acknowledgements:
VMware would like to thank Maxime Escourbiac, Michelin CERT, Yassine Bengana, Abicom from Michelin CERT and Quentin Ebel, Abicom from Michelin CERT for reporting this issue to us.
Notes:
None.
3c. VMware Aria Operations for Logs broken access control vulnerability (CVE-2025-22220)
Description:
VMware Aria Operations for Logs contains a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.3.
Known Attack Vectors:
A malicious actor with non-administrative privileges and network access to Aria Operations for Logs API may be able to perform certain operations in the context of an admin user.
Resolution:
To remediate CVE-2025-22220, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds:
None.
Additional Documentation:
None.
Acknowledgements:
VMware would like to thank Maxime Escourbiac, Michelin CERT, Yassine Bengana, Abicom from Michelin CERT and Quentin Ebel, Abicom from Michelin CERT for reporting this issue to us.
Notes:
None.
3d. VMware Aria Operations for Logs stored cross-site scripting vulnerability (CVE-2025-22221)
Description:
VMware Aria Operation for Logs contains a stored cross-site scripting vulnerability . VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.2.
Known Attack Vectors:
A malicious actor with admin privileges to VMware Aria Operations for Logs may be able to inject a malicious script that could be executed in a victim's browser when performing a delete action in the Agent Configuration.
Resolution:
To remediate CVE-2025-22221, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds:
None.
Additional Documentation:
None.
Acknowledgements:
VMware would like to thank Maxime Escourbiac, Michelin CERT, Yassine Bengana, Abicom from Michelin CERT and Quentin Ebel, Abicom from Michelin CERT for reporting this issue to us.
Notes:
None.
3e. VMware Aria Operations information disclosure vulnerability (CVE-2025-22222)
Description
VMware Aria Operations contains an information disclosure vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.7 .
Known Attack Vectors:
A malicious user with non-administrative privileges may exploit this vulnerability to retrieve credentials for an outbound plugin if a valid service credential ID is known.
Resolution:
To remediate CVE-2025-22222 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds:
None.
Additional Documentation:
None.
Acknowledgements:
VMware would like to thank Maxime Escourbiac, Michelin CERT, Yassine Bengana, Abicom from Michelin CERT and Quentin Ebel, Abicom from Michelin CERT for reporting this issue to us.
Notes:
None.
Response Matrix:
| Product | Version | Running On | CVE(s) | CVSSv3 | Severity | Fixed versions | Workarounds | Additional Documentation |
|
VMware Aria Operations for logs |
8.x |
Any |
CVE-2025-22218, CVE-2025-22219, CVE-2025-22220, CVE-2025-22221 |
Important |
None |
None | ||
|
VMware Aria Operations |
8.x |
Any |
CVE-2025-22222 |
Important |
None |
None | ||
|
VMware Cloud Foundation |
5.x, 4.x |
Any |
CVE-2025-22218, CVE-2025-22219, CVE-2025-22220, CVE-2025-22221, CVE-2025-22222 |
Important |
None |
None |
4. References:
Fixed Version(s) and Release Notes:
Aria Operations for Logs 8.18.3
Aria Operations 8.18.3
Additional Documentation:
None.
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22218
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22219
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22220
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22221
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22222
FIRST CVSSv3 Calculator:
CVE-2025-22218: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE-2025-22219: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
CVE-2025-22220: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE-2025-22221: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N
CVE-2025-22222: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
5. Change Log:
2025-01-30: VMSA-2025-0003
Initial security advisory.
6. Contact:
E-mail: [email protected]
PGP key
https://knowledge.broadcom.com/external/article/321551
VMware Security Advisories
https://www.broadcom.com/support/vmware-security-advisories
VMware External Vulnerability Response and Remediation Policy
https://www.broadcom.com/support/vmware-services/security-response
VMware Lifecycle Support Phases
https://support.broadcom.com/group/ecx/productlifecycle
VMware Security Blog
https://blogs.vmware.com/security
X
https://x.com/VMwareSRC
Copyright 2025 Broadcom All rights reserved.