VMware Security Announcement VMSA-2021-0001

Today the first security advisory was released for 2021. This one is VMSA-2021-0001 and affects vSphere Replication. The updates address a command injection vulnerability (CVE-2021-21976)

Impacted Products
  • vSphere Replication
Introduction

A command injection vulnerability in vSphere Replication was privately reported to VMware . Updates are available to address this vulnerability in the affected product.

Authenticated Command Injection Vulnerability in vSphere Replication(CVE-2021-21976)

Description

vSphere Replication contains a post-authentication command injection vulnerability in "Startup Configuration" page. VMware has evaluated this issue to be 'Important' severity with a maximum CVSSv3 base score of 7.2.

Known Attack Vectors

A malicious actor with administrative access in vSphere Replication can execute shell commands on the underlying system. Successful exploitation of this issue may allow authenticated admin user to perform a remote code execution.  

Resolution

For vSphere Replication 8.3.x, apply fixed version 8.3.1.2

For vSphere Replication 8.2.x, apply fixed version 8.2.1.1

For vSphere Replication 8.1.x, apply fixed version 8.1.2.3

For vSphere Replication 6.5.x, apply fixed version 6.5.1.5

Download and release note links will be provided below.

References

vSphere Replication 8.3.1.2

Downloads and Documentation:

https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VR8312&productId=742

https://docs.vmware.com/en/vSphere-Replication/8.3/rn/vsphere-replication-8312-release-notes.html

vSphere Replication 8.2.1.1

Downloads and Documentation:

https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VR8211&productId=742
https://docs.vmware.com/en/vSphere-Replication/8.2/rn/vsphere-replication-821-release-notes.html

vSphere Replication 8.1.2.3

Downloads and Documentation:

https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VR8123&productId=742
https://docs.vmware.com/en/vSphere-Replication/8.1/rn/vsphere-replication-812-release-notes.html

vSphere Replication 6.5.1.5
Downloads and Documentation:

https://my.vmware.com/web/vmware/downloads/details?productId=614&downloadGroup=VR6515
https://docs.vmware.com/en/vSphere-Replication/6.5/rn/vsphere-replication-651-release-notes.html

Link to the official advisory

VMSA-2021-0001 (vmware.com)

Thanks for reading!