VMware Aria Operations (formerly VMware vRealize Operations) automates and simplifies IT management with full-stack visibility from physical, virtual and cloud infrastructure including Virtual Machines (VMs) and containers to the applications they support. It delivers continuous performance optimisation, efficient capacity and cost management, proactive planning, intelligent remediation and integrated compliance. It is available on premises and as-a-service. More information on this product here, and link to my blogpost.
An arbitrary file read vulnerability in VMware Aria Operations was privately reported by Yu Dai of NSFOCUS TIANJI Lab to VMware. There are updates (patches) to remediate these vulnerabilities in the affected VMware products.
What Exploit does this Vulnerability Present?
A malicious actor with administrative privileges may be able to read arbitrary files containing sensitive data.
Remediation
To remediate CVE-2022-31682, apply the patches listed in the ‘Fixed Version’ column of the ‘Resolution Matrix’ found below.
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| Aria Operations | 8.x | Any | CVE-2022-31682 | 4.9 | Moderate | 8.10 | N/A | N/A |