VMSA-2021-0001

Important

Advisory ID:
VMSA-2021-0001

CVSSv3 Range:
7.2

Issue Date:
2021-02-11

Updated On:
2021-02-11 (Initial Advisory)

CVE(s):
CVE-2021-21976

Synopsis:
vSphere Replication updates address a command injection vulnerability (CVE-2021-21976)

1. Impacted Products

vSphere Replication

2. Introduction

A command injection vulnerability in vSphere Replication was privately reported to VMware . Updates are available to address this vulnerability in the affected product.

3. Authenticated Command Injection Vulnerability in vSphere Replication(CVE-2021-21976)

Description

vSphere Replication contains a post-authentication command injection vulnerability in “Startup Configuration” page. VMware has evaluated this issue to be ‘Important’ severity with a maximum CVSSv3 base score of 7.2.

Known Attack Vectors

A malicious actor with administrative access in vSphere Replication can execute shell commands on the underlying system. Successful exploitation of this issue may allow authenticated admin user to perform a remote code execution.  

Resolution

To remediate CVE-2021-21976, apply the patches listed in the ‘Fixed Version’ column of the ‘Resolution Matrix’ found below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank Egor Dimitrenko from Positive Technologies for reporting this issue to us.

Response Matrix

Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation

vSphere Replication

8.3.x

Any

CVE-2021-21976

7.2

important

8.3.1.2

None

None

vSphere Replication

8.2.x

Any

CVE-2021-21976

7.2

important

8.2.1.1

None

None

vSphere Replication

8.1.x

Any

CVE-2021-21976

7.2

important

8.1.2.3

None

None

vSphere Replication

6.5.x

Any

CVE-2021-21976

7.2

important

6.5.1.5

None

None

4. References

vSphere Replication 8.3.1.2
Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VR8312&productId=742
https://docs.vmware.com/en/vSphere-Replication/8.3/rn/vsphere-replication-8312-release-notes.html
 
vSphere Replication 8.2.1.1
Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VR8211&productId=742https://docs.vmware.com/en/vSphere-Replication/8.2/rn/vsphere-replication-821-release-notes.html
 
vSphere Replication 8.1.2.3
Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VR8123&productId=742https://docs.vmware.com/en/vSphere-Replication/8.1/rn/vsphere-replication-812-release-notes.html
 
vSphere Replication 6.5.1.5 Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?productId=614&downloadGroup=VR6515https://docs.vmware.com/en/vSphere-Replication/6.5/rn/vsphere-replication-651-release-notes.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21976
FIRST CVSSv3 Calculator:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

5. Change Log

2021-02-11 VMSA-2021-0001 Initial security advisory.

6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/mailman/listinfo/security-announce 
 
This Security Advisory is posted to the following lists:  
security-announce@lists.vmware.com  
bugtraq@securityfocus.com  
fulldisclosure@seclists.org 
 
E-mail: security@vmware.com
PGP key at:
https://kb.vmware.com/kb/1055 
 
VMware Security Advisories
https://www.vmware.com/security/advisories 
 
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html 
 
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html 
 
VMware Security & Compliance Blog  
https://blogs.vmware.com/security 
 
Twitter

 
Copyright 2020 VMware Inc. All rights reserved.  VMware Security AdvisoryRead More