VMSA-2021-0001
Important
Advisory ID:
VMSA-2021-0001
CVSSv3 Range:
7.2
Issue Date:
2021-02-11
Updated On:
2021-02-11 (Initial Advisory)
CVE(s):
CVE-2021-21976
Synopsis:
vSphere Replication updates address a command injection vulnerability (CVE-2021-21976)
1. Impacted Products
vSphere Replication
2. Introduction
A command injection vulnerability in vSphere Replication was privately reported to VMware . Updates are available to address this vulnerability in the affected product.
3. Authenticated Command Injection Vulnerability in vSphere Replication(CVE-2021-21976)
Description
vSphere Replication contains a post-authentication command injection vulnerability in “Startup Configuration” page. VMware has evaluated this issue to be ‘Important’ severity with a maximum CVSSv3 base score of 7.2.
Known Attack Vectors
A malicious actor with administrative access in vSphere Replication can execute shell commands on the underlying system. Successful exploitation of this issue may allow authenticated admin user to perform a remote code execution.
Resolution
To remediate CVE-2021-21976, apply the patches listed in the ‘Fixed Version’ column of the ‘Resolution Matrix’ found below.
Workarounds
None.
Additional Documentation
None.
Notes
None.
Acknowledgements
VMware would like to thank Egor Dimitrenko from Positive Technologies for reporting this issue to us.
Response Matrix
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
vSphere Replication
8.3.x
Any
CVE-2021-21976
7.2
important
8.3.1.2
None
None
vSphere Replication
8.2.x
Any
CVE-2021-21976
7.2
important
8.2.1.1
None
None
vSphere Replication
8.1.x
Any
CVE-2021-21976
7.2
important
8.1.2.3
None
None
vSphere Replication
6.5.x
Any
CVE-2021-21976
7.2
important
6.5.1.5
None
None
4. References
vSphere Replication 8.3.1.2
Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VR8312&productId=742
https://docs.vmware.com/en/vSphere-Replication/8.3/rn/vsphere-replication-8312-release-notes.html
vSphere Replication 8.2.1.1
Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VR8211&productId=742https://docs.vmware.com/en/vSphere-Replication/8.2/rn/vsphere-replication-821-release-notes.html
vSphere Replication 8.1.2.3
Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VR8123&productId=742https://docs.vmware.com/en/vSphere-Replication/8.1/rn/vsphere-replication-812-release-notes.html
vSphere Replication 6.5.1.5 Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?productId=614&downloadGroup=VR6515https://docs.vmware.com/en/vSphere-Replication/6.5/rn/vsphere-replication-651-release-notes.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21976
FIRST CVSSv3 Calculator:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
5. Change Log
2021-02-11 VMSA-2021-0001 Initial security advisory.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org
E-mail: security@vmware.com
PGP key at:
https://kb.vmware.com/kb/1055
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Twitter
Tweets by VMwareSRC
Copyright 2020 VMware Inc. All rights reserved. VMware Security AdvisoryRead More