VMware Security Announcement VMSA-2021-0019 CVSSv3 Score 6.5 Moderate

A new security advisory recently released VMSA-2021-0019. This affects VMware vRealize Log Insight, the updates address Cross Site Scripting (XSS) vulnerability (CVE-2021-22021)

Impacted Products
  • VMware vRealize Log Insight
  • VMware Cloud Foundation
Introduction

A cross-site scripting vulnerability in VMware vRealize Log Insight was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.

VMware vRealize Log Insight updates address a Cross Site Scripting (XSS) vulnerability (CVE-2021-22021)

Description

VMware vRealize Log Insight contains a Cross Site Scripting (XSS) vulnerability due to improper user input validation. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.

Known Attack Vectors

An attacker with user privileges may be able to inject a malicious payload via the Log Insight UI which would be executed when the victim accesses the shared dashboard link.

Resolution

VMware vRealize Log Insight 8.4 is not affected by this advisory

For vRealize Log Insight 8.3, apply the fix in the following KB article vRealize Log Insight 8.3 Security Patch for VMSA-2021-0019 (85414) (vmware.com)

For vRealize Log Insight 8.2, apply the fix in the following KB article vRealize Log Insight 8.2 Security Patch for VMSA-2021-0019 (85412) (vmware.com)

For vRealize Log Insight 8.1.1, 8.1.0, 8.0.0, and 4.x. Apply the fix in the following KB article vRealize Log Insight 8.1.1 Security Patch for VMSA-2021-0019 (85405) (vmware.com)

For VMware Cloud Foundation (vRLI) 4.x, apply fixed version 4.3

References

Fixed Version(s) and Release Notes:

VMware vRealize Log Insight 8.4.0

Downloads and Documentation:

https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VRLI-840&productId=1141&rPId=68060

https://docs.vmware.com/en/vRealize-Log-Insight/8.4/rn/vRealize-Log-Insight-84.html

VMware vRealize Log Insight

8.3: https://kb.vmware.com/s/article/85414

8.2: https://kb.vmware.com/s/article/85412

8.1.1: https://kb.vmware.com/s/article/85405

VMware Cloud Foundation 4.3

Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/4.3/rn/VMware-Cloud-Foundation-43-Release-Notes.html

Thanks for reading!