VMware Security Announcement VMSA-2021-0005, CVSSv3 base score of 9.1

Today VMware released a new Security Announcement, VMSA-2021-0005. This affects VMware Carbon Black Cloud Workload appliance, the update addresses incorrect URL handling vulnerability (CVE-2021-21982)

Impacted Products
  • VMware Carbon Black Cloud Workload appliance
Introduction

A vulnerability in VMware Carbon Black Cloud Workload appliance was privately reported to VMware. An update is available to remediate this vulnerability in the affected versions of the appliance.

Advisory Details

Description

A URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.1.

Known Attack Vectors

A malicious actor with network access to the administrative interface of the VMware Carbon Black Cloud Workload appliance may be able to obtain a valid authentication token, granting access to the administration API of the appliance. Successful exploitation of this issue would result in the attacker being able to view and alter administrative configuration settings.

Resolution

For Carbon Black Cloud Workload Appliance 1.0.1 and earlier, apply fixed version 1.0.2. Download details and release notes will be provided below

Mitigation

VMware best practices recommend implementing network controls to limit access to the local administrative interface of the appliance. Unrestricted network access to this interface is not required for the regular operation of the product.

References

Fixed Version(s) and/or Release Notes
https://docs.vmware.com/en/VMware-Carbon-Black-Cloud-Workload/1.0/rn/cbc-workload-102-release-notes.html

Advisory Link

VMSA-2021-0005 (vmware.com)