VMSA-2021-0004
Critical
Advisory ID:
VMSA-2021-0004.1
CVSSv3 Range:
7.2 – 8.6
Issue Date:
2021-03-30
Updated On:
2021-03-31
CVE(s):
CVE-2021-21975, CVE-2021-21983
Synopsis:
VMware vRealize Operations updates address Server Side Request Forgery and Arbitrary File Write vulnerabilities (CVE-2021-21975, CVE-2021-21983)
1. Impacted Products
VMware vRealize Operations
VMware Cloud Foundation
vRealize Suite Lifecycle Manager
2. Introduction
Multiple vulnerabilities in VMware vRealize Operations were privately reported to VMware. Patches and Workarounds are available to address these vulnerabilities in impacted VMware products.
3a. Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975)
Description
The vRealize Operations Manager API contains a Server Side Request Forgery. VMware has evaluated this issue to be of ‘Important’ severity with a maximum CVSSv3 base score of 8.6.
Known Attack Vectors
A malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.
Resolution
To remediate CVE-2021-21975 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to impacted deployments.
Workarounds
Workarounds for CVE-2021-21975 have been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.
Additional Documentation
A FAQ was created which is listed in the ‘Additional Documentation’ column of the ‘Response Matrix’ below.
Acknowledgements
VMware would like to thank Egor Dimitrenko of Positive Technologies for reporting this vulnerability to us.
3b. Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983)
Description
The vRealize Operations Manager API contains an arbitrary file write vulnerability. VMware has evaluated this issue to be of ‘Important’ severity with a maximum CVSSv3 base score of 7.2.
Known Attack Vectors
An authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system.
Resolution
To remediate CVE-2021-21983 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
Workarounds
Workarounds for CVE-2021-21983 have been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.
Additional Documentation
A FAQ was created which is listed in the ‘Additional Documentation’ column of the ‘Response Matrix’ below.
Acknowledgements
VMware would like to thank Egor Dimitrenko of Positive Technologies for reporting this vulnerability to us.
Notes
None.
Response Matrix:
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
vRealize Operations Manager
8.3.0
Any
CVE-2021-21975, CVE-2021-21983
7.2 – 8.6
critical
KB83210
KB83210
FAQ
vRealize Operations Manager
8.2.0
Any
CVE-2021-21975, CVE-2021-21983
7.2 – 8.6
critical
KB83095
KB83095
FAQ
vRealize Operations Manager
8.1.1, 8.1.0
Any
CVE-2021-21975, CVE-2021-21983
7.2 – 8.6
critical
KB83094
KB83094
FAQ
vRealize Operations Manager
8.0.1, 8.0.0
Any
CVE-2021-21975, CVE-2021-21983
7.2 – 8.6
critical
KB83093
KB83093
FAQ
vRealize Operations Manager
7.5.0
Any
CVE-2021-21975, CVE-2021-21983
7.2 – 8.6
critical
KB82367
KB82367
FAQ
vRealize Operations Manager
7.0.0
Any
CVE-2021-21975, CVE-2021-21983
7.2 – 8.6
critical
No patch planned
KB83287
FAQ
Impacted Product Suites that Deploy Response Matrix Components:
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
VMware Cloud Foundation (vROps)
4.x
Any
CVE-2021-21975, CVE-2021-21983
7.2 – 8.6
critical
KB83260
See ‘Response Matrix’ workaround column above
FAQ
VMware Cloud Foundation (vROps)
3.x
Any
CVE-2021-21975, CVE-2021-21983
7.2 – 8.6
critical
KB83260
See ‘Response Matrix’ workaround column above
FAQ
vRealize Suite Lifecycle Manager (vROps)
8.x
Any
CVE-2021-21975, CVE-2021-21983
7.2 – 8.6
critical
KB83260
See ‘Response Matrix’ workaround column above
FAQ
4. References
Remediation and Workarounds: vRealize Operations Manager 8.3.0: https://kb.vmware.com/s/article/83210 8.2.0: https://kb.vmware.com/s/article/83095 8.1.1: https://kb.vmware.com/s/article/83094 8.0.1: https://kb.vmware.com/s/article/83093 7.5.0: https://kb.vmware.com/s/article/82367 7.0.0: https://kb.vmware.com/s/article/83287VMware Cloud Foundation (vROps) 4.x/3.x: https://kb.vmware.com/s/article/83260vRealize Suite Lifecycle Manager (vROps) 8.x: https://kb.vmware.com/s/article/83260FIRST CVSSv3 Calculator: CVE-2021-21975 – https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVE-2021-21983 – https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HMitre CVE Dictionary Links:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21975https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21983
5. Change Log
2021-03-30: VMSA-2021-0004 Initial security advisory.2021-03-31: VMSA-2021-0004.1 Updated advisory with information on vROps 7.0.0 workarounds.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org
E-mail: security@vmware.com
PGP key at:
https://kb.vmware.com/kb/1055
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Twitter
Tweets by VMwareSRC
Copyright 2021 VMware Inc. All rights reserved. VMware Security AdvisoryRead More