VMSA-2021-0004

Critical

Advisory ID:
VMSA-2021-0004

CVSSv3 Range:
7.2 – 8.6

Issue Date:
2021-03-30

Updated On:
2021-03-30 (Initial Advisory)

CVE(s):
CVE-2021-21975, CVE-2021-21983

Synopsis:
VMware vRealize Operations updates address Server Side Request Forgery and Arbitrary File Write vulnerabilities (CVE-2021-21975, CVE-2021-21983)

1. Impacted Products

VMware vRealize Operations
VMware Cloud Foundation
vRealize Suite Lifecycle Manager

2. Introduction

Multiple vulnerabilities in VMware vRealize Operations were privately reported to VMware. Patches and Workarounds are available to address these vulnerabilities in impacted VMware products. 

3a. Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975)

Description

The vRealize Operations Manager API contains a Server Side Request Forgery. VMware has evaluated this issue to be of ‘Important’ severity with a maximum CVSSv3 base score of 8.6.

Known Attack Vectors

A malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.

Resolution

To remediate CVE-2021-21975 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to impacted deployments.

Workarounds

Workarounds for CVE-2021-21975 have been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

Additional Documentation

A FAQ was created which is listed in the ‘Additional Documentation’ column of the ‘Response Matrix’ below.

Acknowledgements

VMware would like to thank Egor Dimitrenko of Positive Technologies for reporting this vulnerability to us.

3b. Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983)

Description

The vRealize Operations Manager API contains an arbitrary file write vulnerability. VMware has evaluated this issue to be of ‘Important’ severity with a maximum CVSSv3 base score of 7.2.

Known Attack Vectors

An authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system.

Resolution

To remediate CVE-2021-21983 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.

Workarounds

Workarounds for CVE-2021-21983 have been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

Additional Documentation

A FAQ was created which is listed in the ‘Additional Documentation’ column of the ‘Response Matrix’ below.

Acknowledgements

VMware would like to thank Egor Dimitrenko of Positive Technologies for reporting this vulnerability to us.

Notes

None.

Response Matrix:

Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation

vRealize Operations Manager

8.3.0

Any

CVE-2021-21975, CVE-2021-21983

7.2 – 8.6

critical

KB83210

KB83210

FAQ

vRealize Operations Manager

8.2.0

Any

CVE-2021-21975, CVE-2021-21983

7.2 – 8.6

critical

KB83095

KB83095

FAQ

vRealize Operations Manager

8.1.1, 8.1.0

Any

CVE-2021-21975, CVE-2021-21983

7.2 – 8.6

critical

KB83094

KB83094

FAQ

vRealize Operations Manager

8.0.1, 8.0.0

Any

CVE-2021-21975, CVE-2021-21983

7.2 – 8.6

critical

KB83093

KB83093

FAQ

vRealize Operations Manager

7.5.0

Any

CVE-2021-21975, CVE-2021-21983

7.2 – 8.6

critical

KB82367

KB82367

FAQ

Impacted Product Suites that Deploy Response Matrix Components:

Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation

VMware Cloud Foundation (vROps)

4.x

Any

CVE-2021-21975, CVE-2021-21983

7.2 – 8.6

critical

KB83260

See ‘Response Matrix’ workaround column above

FAQ

VMware Cloud Foundation (vROps)

3.x

Any

CVE-2021-21975, CVE-2021-21983

7.2 – 8.6

critical

KB83260

See ‘Response Matrix’ workaround column above

FAQ

vRealize Suite Lifecycle Manager (vROps)

8.x

Any

CVE-2021-21975, CVE-2021-21983

7.2 – 8.6

critical

KB83260

See ‘Response Matrix’ workaround column above

FAQ

4. References

 
vRealize Operations Manager 8.3.0: https://kb.vmware.com/s/article/83210 8.2.0: https://kb.vmware.com/s/article/83095 8.1.1: https://kb.vmware.com/s/article/83094 8.0.1: https://kb.vmware.com/s/article/83093 7.5.0: https://kb.vmware.com/s/article/82367VMware Cloud Foundation (vROps) 4.x/3.x: https://kb.vmware.com/s/article/83260vRealize Suite Lifecycle Manager (vROps) 8.x: https://kb.vmware.com/s/article/83260FIRST CVSSv3 Calculator: CVE-2021-21975 – https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVE-2021-21983 – https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HMitre CVE Dictionary Links:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21975https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21983
 

5. Change Log

2021-03-30: VMSA-2020-0004 Initial security advisory.

6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 
 
This Security Advisory is posted to the following lists:  
security-announce@lists.vmware.com  
bugtraq@securityfocus.com  
fulldisclosure@seclists.org 
 
E-mail: security@vmware.com
PGP key at:
https://kb.vmware.com/kb/1055 
 
VMware Security Advisories
https://www.vmware.com/security/advisories 
 
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html 
 
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html 
 
VMware Security & Compliance Blog  
https://blogs.vmware.com/security 
 
Twitter

 
Copyright 2021 VMware Inc. All rights reserved.  VMware Security AdvisoryRead More