VMware has released a new security advisory VMSA-2021-0004: VMware vRealize Operations updates address Server Side Request Forgery and Arbitrary File Write vulnerabilities (CVE-2021-21975, CVE-2021-21983).
Multiple vulnerabilities in VMware ESXi, Workstation and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. This advisory documents the remediation of one critical issue and one important issue.
The Common Vulnerabilities and Exposures project has assigned the identifiers CVE-2021-21975 to the server side request forgery vulnerability in vRealize Operations Manager API and CVE-2021-21983 to the arbitrary file write vulnerability in vRealize Operations Manager API.
A malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials. An authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying Photon operating system.
VMSA-2021-0004 – Affected Products and Resolutions
Following products are affected by both vulnerabilities:
- vRealize Operations Manager 8.3.0
- install vRealize Operations 8.3 Security Patch
- vRealize Operations Manager 8.2.0
- install vRealize Operations 8.2 Security Patch
- vRealize Operations Manager 8.1.0 or 8.1.1
- install vRealize Operations 8.1.1 Security Patch
- vRealize Operations Manager 8.0.0 or 8.0.1
- install vRealize Operations 8.0.1 Security Patch
- vRealize Operations Manager 7.5.0
- install vRealize Operations 7.5 Security Patch
If these patches cannot be installed, or there is no patch for your version of vRealize Operations, the above knowledge base articles provide detailed workarounds steps. In the additional FAQ page, VMware states that there is no impact in implementing the workarounds; no functionality will be affected by modifying the XML file as detailed in the KB articles.
VMware also listed the product suits which use one of the affected version of vRealize Operations Manager:
- VMware Cloud Foundation 4.x
- VMware Cloud Foundation 3.x
- vRealize Suite Lifecycle Manager 8.x
You can check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.