VMware Security Announcement VMSA-2021-0018 CVSSv3 Range 4.4-8.6 Important

A new VMware Security Advisory recently released VMSA-2021-0018, this affects VMware vRealize Operations. The updates address multiple security vulnerabilities (CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027).

Impacted Products
  • VMware vRealize Operations
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager
Introduction

Multiple vulnerabilities in VMware vRealize Operations were privately reported to VMware. Patches and Workarounds are available to address these vulnerabilities in impacted VMware products.

Arbitrary file read vulnerability in vRealize Operations Manager API (CVE-2021-22022)

Description

The vRealize Operations Manager API contains an arbitrary file read vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.4.

Known Attack Vectors

A malicious actor with administrative access to vRealize Operations Manager API can read any arbitrary file on server leading to information disclosure.

Insecure direct object reference vulnerability in vRealize Operations Manager API (CVE-2021-22023)

Description

The vRealize Operations Manager API has insecure object reference vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.6.

Known Attack Vectors

A malicious actor with administrative access to vRealize Operations Manager API may be able to modify other users information leading to an account takeover.

Arbitrary log-file read vulnerability in vRealize Operations Manager API (CVE-2021-22024)

Description

The vRealize Operations Manager API contains an arbitrary log-file read vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

Known Attack Vectors

An unauthenticated malicious actor with network access to the vRealize Operations Manager API can read any log file resulting in sensitive information disclosure.

Broken access control vulnerability in vRealize Operations Manager API (CVE-2021-22025)

Description

The vRealize Operations Manager API contains a broken access control vulnerability leading to unauthenticated API access. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.6.

Known Attack Vectors

An unauthenticated malicious actor with network access to the vRealize Operations Manager API can add new nodes to existing vROps cluster.

Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-22026, CVE-2021-22027)

Description

The vRealize Operations Manager API contains a Server Side Request Forgery in multiple end points. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

Known Attack Vectors

An unauthenticated malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack leading to information disclosure.

Resolution for these CVE's

vRealize Operations Manager 8.5 is not affected by this advisoy

For vRealize Operations Manager 8.4, apply the fix in the following KB article vRealize Operations 8.4 Security Patch for VMSA-2021-0018 (85383) (vmware.com)

For vRealize Operations Manager 8.3, apply the fix in the following KB article vRealize Operations 8.3 Security Patch for VMSA-2021-0018 (85382) (vmware.com)

For vRealize Operations Manager 8.2, apply the fix in the following KB article vRealize Operations 8.2 Security Patch for VMSA-2021-0018 (85381) (vmware.com)

For vRealize Operations Manager 8.1.1 and 8.1.0, apply the fix in the following KB article vRealize Operations 8.1.1 Security Patch for VMSA-2021-0018 (85380) (vmware.com)

For vRealize Operations Manager 8.0.1 and 8.0.0, apply the fix in the following KB article vRealize Operations 8.0.1 Security Patch for VMSA-2021-0018 (85379) (vmware.com)

For vRealize Operations Manager 7.5, apply the fix in the following KB article vRealize Operations 7.5 Security Patch for VMSA-2021-0018 (85378) (vmware.com)

For VMware Cloud Foundation (vROPS) version 4.x and 3.x and vRealize Suite Lifecycle Manager (vROPS), apply the fix in the following KB vROPs Security Patch for VMSA-2021-0018 in vRLCM (85452) (vmware.com)

VMware also created a FAQ for this advisory. All the details are locatred here VMSA-2021-0018 vRealize Operations FAQ (85407) (vmware.com)

References

Fixed Versions:

vRealize Operations Manager

8.4: https://kb.vmware.com/s/article/85383

8.3: https://kb.vmware.com/s/article/85382

8.2: https://kb.vmware.com/s/article/85381

8.1.1: https://kb.vmware.com/s/article/85380

8.0.1: https://kb.vmware.com/s/article/85379

7.5: https://kb.vmware.com/s/article/85378

VMware Cloud Foundation (vROps)

4.x/3.x: https://kb.vmware.com/s/article/85452

vRealize Suite Lifecycle Manager (vROps)

8.x: https://kb.vmware.com/s/article/85452

Thanks for reading, happy patching!