Multiple vulnerabilities in VMware vRealize Network Insight (vRNI) were privately reported to VMware. Patches and updates are available to remediate these vulnerabilities in vRNI 6.2 / 6.3 / 6.4 / 6.5.1 / 6.6 and 6.7.

CVE-2022-31702 :
vRealize Network Insight (vRNI) contains a command injection vulnerability present in the vRNI REST API.

CVE-2022-31703 :
vRealize Network Insight (vRNI) directory traversal vulnerability in vRNI REST API. 

These vulnerabilities and their impacts on vRNI are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:

• VMSA-2022-0031:VMware vRealize Network Insight (vRNI) updates address command injection and directory traversal security vulnerabilities

Both CVE-2022-31702/CVE-2022-31703 are addressed in vRNI 6.8 and different hot patches are available for 6.2 / 6.3 / 6.4 / 6.5.1 / 6.6 and 6.7 versions.

To mitigate the vulnerability, VMware highly recommends upgrading to vRNI 6.8 that contains the fixes. If upgrading is not possible, below patches are available for vRealize Network Insight version 6.2 / 6.3 / 6.4 / 6.5.1 / 6.6 and 6.7.


Patch Download Details:

Patch for vRealize Network Insight version 6.2.0  

Patch for vRealize Network Insight version 6.3.0

Patch for vRealize Network Insight version 6.4.0

Patch for vRealize Network Insight version 6.5.1

Patch for vRealize Network Insight version 6.6.0

Patch for vRealize Network Insight version 6.7.0

Note: Above patches are cumulative of any previous patches for the same version



Procedure to apply vRealize Network Insight patch bundle:

1. Download the update patch file and save the file on your local system.
2. Log into the vRealize Network Insight GUI as an Administrator user.
   
   Note: The default admin@local account can be used.
   
   
3. Navigate to Settings > Install and Support > Overview and Updates, then under Product, select Click here.
4. Click Browse to select the locally downloaded patch file and click Upload.
   
   Notes:
    
   • When the upload is complete, vRealize Network Insight shows the Bundle Upload Complete message notification within 2-3 minutes and the bundle processing happens in the background.
   • Until the upload of the package happens, ensure that the session is not closed. If the session ends, you have to restart the upload process.
   • Do not refresh the page after bundle upload, until you see the Update Available message notification.
     
     
5. In the Bundle Available message notification, click View details
   
   vRealize Network Insight Update screen appears.
   
   
   
6. Read the Before you proceed instruction and click Continue.
7. Wait for the pre-checks to complete, which verifies:
   
   
   • the disk space, including the space required for migration
   • the version
   • the NTP sync status
   • the bundle checksum
     
     
8. Click Install Now.
   
   You can see the approximate time required to complete the update process on your setup.
   
   
9. Once the update process begins, the vRealize Network Insight Update screen provides the status of the update process.
   
   Notes:
   • If a node becomes inactive, the update process does not continue. The update will not resume until the node becomes active again.
   • Once the platforms are updated, you can resume your normal vRealize Network Insight operations even though the collector update happens in parallel. Until the update process is completely over, the Node Version Mismatch detected the message is shown in the Install and Support page.
     
     
10. Upon the completion of the update process, you see the below confirmation message.
    
    All platform and the collector nodes are updated.

For more information about how to download Broadcom products, refer to Download Broadcom products and software