VMware Security Announcement VMSA-2021-0004 CVSSv3 base score of 8.6.

A new VMware Security announcement was released today, VMSA-2021-0004. This one for VMware vRealize Operations. The updates address Server Side Request Forgery and Arbitrary File Write vulnerabilities (CVE-2021-21975, CVE-2021-21983)

Impacted Products
  • VMware vRealize Operations
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager
Introduction

Multiple vulnerabilities in VMware vRealize Operations were privately reported to VMware. Patches and Workarounds are available to address these vulnerabilities in impacted VMware products.

Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975)

Description

The vRealize Operations Manager API contains a Server Side Request Forgery. VMware has evaluated this issue to be of 'Important' severity with a maximum CVSSv3 base score of 8.6.

Known Attack Vectors

A malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.

Resolution

See Below. Since both CVE's have the same patch fixes I will list them below

Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983)

Description

The vRealize Operations Manager API contains an arbitrary file write vulnerability. VMware has evaluated this issue to be of 'Important' severity with a maximum CVSSv3 base score of 7.2.

Known Attack Vectors

An authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system.

Resolutions

For vRealize Operations 8.3, use the following KB article vRealize Operations 8.3 Security Patch (83210) (vmware.com)

For vRealize Operations 8.2, use the following KB article vRealize Operations 8.2 Security Patch (83095) (vmware.com)

For vRealize Operations 8.1.1, 8.1.0, use the following KB article vRealize Operations 8.1.1 Security Patch (83094) (vmware.com)

For vRealize Operations 8.0.1 and 8.0.0, use the following KB article vRealize Operations 8.0.1 Security Patch (83093) (vmware.com)

For vRealize Operations 7.5, use the following KB article vRealize Operations 7.5 Security Patch (82367) (vmware.com)

For VMware Cloud Foundation 4.x, 3.x, and vRealize Suite Lifecycle Manager, use the following KB article VMware vRealize Operations security patches (83260)

Additional Documentation

VMware posted a FAQ to provide more information. It is listed here VMSA-2021-0004 FAQ (83265) (vmware.com)

FAQ

Q: Who or what is exposed to this vulnerability?
A:  All customers running an impacted version of vRealize Operations.

Q: How do I determine if an installation is vulnerable?
A: Any deployment of vRealize Operations build prior to the Fixed Version (VMSA-2021-0004) is affected.
    vRealize Operations releases after 8.3 will not be impacted by this vulnerability.

Q: What do I need to do to eliminate this vulnerability?
A: VMware recommends that customers on an affected release of vRealize Operations update to the corresponding fixed version in VMSA-2021-0004.

Q: I don't want to or can't patch/upgrade.  Are there other options to remediate?
A: Yes, the corresponding KB article details workaround instructions.  For greater detail, see the corresponding KB articles linked below or in VMSA-2021-0004.

Q: What is the impact of implementing the workaround ?
A: There is no impact.  No functionality will be affected by modifying the XML file as detailed in the KB articles.

Q: Are EoGS versions such as vRealize Operations 6.7 impacted?
A. We cannot publish information on EoS product lines.

References

vRealize Operations Manager
8.3.0: https://kb.vmware.com/s/article/83210
8.2.0: https://kb.vmware.com/s/article/83095
8.1.1: https://kb.vmware.com/s/article/83094
8.0.1: https://kb.vmware.com/s/article/83093
7.5.0: https://kb.vmware.com/s/article/82367

VMware Cloud Foundation (vROps)
4.x/3.x: https://kb.vmware.com/s/article/83260

vRealize Suite Lifecycle Manager (vROps)
8.x: https://kb.vmware.com/s/article/83260

Link to official advisory from vmware. VMSA-2021-0004 (vmware.com)

Thanks for reading!