Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1087
VMSA-2021-0004 - VMware vRealize Operations updates address Server Side
Request Forgery and Arbitrary File Write vulnerabilities
31 March 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMware vRealize Operations
VMware Cloud Foundation
vRealize Suite Lifecycle Manager
Publisher: VMWare
Operating System: Virtualisation
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Create Arbitrary Files -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-21983 CVE-2021-21975
Original Bulletin:
https://www.vmware.com/security/advisories/VMSA-2021-0004.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Advisory ID: VMSA-2021-0004
CVSSv3 Range: 7.2 - 8.6
Issue Date: 2021-03-30
Updated On: 2021-03-30 (Initial Advisory)
CVE(s): CVE-2021-21975, CVE-2021-21983
Synopsis: VMware vRealize Operations updates address Server Side Request
Forgery and Arbitrary File Write vulnerabilities (CVE-2021-21975,
CVE-2021-21983)
1. Impacted Products
o VMware vRealize Operations
o VMware Cloud Foundation
o vRealize Suite Lifecycle Manager
2. Introduction
Multiple vulnerabilities in VMware vRealize Operations were privately reported
to VMware. Patches and Workarounds are available to address these
vulnerabilities in impacted VMware products.
3a. Server Side Request Forgery in vRealize Operations Manager API
(CVE-2021-21975)
Description
The vRealize Operations Manager API contains a Server Side Request
Forgery. VMware has evaluated this issue to be of 'Important' severity with a
maximum CVSSv3 base score of 8.6.
Known Attack Vectors
A malicious actor with network access to the vRealize Operations Manager API
can perform a Server Side Request Forgery attack to steal administrative
credentials.
Resolution
To remediate CVE-2021-21975 apply the updates listed in the 'Fixed Version'
column of the 'Response Matrix' below to impacted deployments.
Workarounds
Workarounds for CVE-2021-21975 have been listed in the 'Workarounds' column of
the 'Response Matrix' below.
Additional Documentation
A FAQ was created which is listed in the 'Additional Documentation' column of
the 'Response Matrix' below.
Acknowledgements
VMware would like to thank Egor Dimitrenko of Positive Technologies for
reporting this vulnerability to us.
3b. Arbitrary file write vulnerability in vRealize Operations Manager API
(CVE-2021-21983)
Description
The vRealize Operations Manager API contains an arbitrary file write
vulnerability. VMware has evaluated this issue to be of 'Important' severity
with a maximum CVSSv3 base score of 7.2.
Known Attack Vectors
An authenticated malicious actor with network access to the vRealize Operations
Manager API can write files to arbitrary locations on the underlying photon
operating system.
Resolution
To remediate CVE-2021-21983 apply the updates listed in the 'Fixed Version'
column of the 'Response Matrix' below to affected deployments.
Workarounds
Workarounds for CVE-2021-21983 have been listed in the 'Workarounds' column of
the 'Response Matrix' below.
Additional Documentation
A FAQ was created which is listed in the 'Additional Documentation' column of
the 'Response Matrix' below.
Acknowledgements
VMware would like to thank Egor Dimitrenko of Positive Technologies for
reporting this vulnerability to us.
Notes
None.
Response Matrix:
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
vRealize CVE-2021-21975, 7.2 -
Operations 8.3.0 Any CVE-2021-21983 8.6 critical KB83210 KB83210 FAQ
Manager
vRealize CVE-2021-21975, 7.2 -
Operations 8.2.0 Any CVE-2021-21983 8.6 critical KB83095 KB83095 FAQ
Manager
vRealize 8.1.1, CVE-2021-21975, 7.2 -
Operations 8.1.0 Any CVE-2021-21983 8.6 critical KB83094 KB83094 FAQ
Manager
vRealize 8.0.1, CVE-2021-21975, 7.2 -
Operations 8.0.0 Any CVE-2021-21983 8.6 critical KB83093 KB83093 FAQ
Manager
vRealize CVE-2021-21975, 7.2 -
Operations 7.5.0 Any CVE-2021-21983 8.6 critical KB82367 KB82367 FAQ
Manager
Impacted Product Suites that Deploy Response Matrix Components:
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
See
VMware 'Response
Cloud 4.x Any CVE-2021-21975, 7.2 - critical KB83260 Matrix' FAQ
Foundation CVE-2021-21983 8.6 workaround
(vROps) column
above
See
VMware 'Response
Cloud 3.x Any CVE-2021-21975, 7.2 - critical KB83260 Matrix' FAQ
Foundation CVE-2021-21983 8.6 workaround
(vROps) column
above
vRealize See
Suite 'Response
Lifecycle 8.x Any CVE-2021-21975, 7.2 - critical KB83260 Matrix' FAQ
Manager CVE-2021-21983 8.6 workaround
(vROps) column
above
4. References
vRealize Operations Manager
8.3.0: https://kb.vmware.com/s/article/83210
8.2.0: https://kb.vmware.com/s/article/83095
8.1.1: https://kb.vmware.com/s/article/83094
8.0.1: https://kb.vmware.com/s/article/83093
7.5.0: https://kb.vmware.com/s/article/82367
VMware Cloud Foundation (vROps)
4.x/3.x: https://kb.vmware.com/s/article/83260
vRealize Suite Lifecycle Manager (vROps)
8.x: https://kb.vmware.com/s/article/83260
FIRST CVSSv3 Calculator:
CVE-2021-21975 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/
PR:N/UI:N/S:C/C:H/I:N/A:N
CVE-2021-21983 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/
PR:H/UI:N/S:U/C:H/I:H/A:H
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21975
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21983
5. Change Log
2021-03-30: VMSA-2020-0004
Initial security advisory.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYGOrw+NLKJtyKPYoAQhdjA/8C5q6/+zt0FeYFVl9qNBdmCAoIEL7KnKv
b7O6VzJ+FwrjAfjiTdOkg9ExEF4mqv6G8B3OpndHhsPEaBRA//zqFiNFJuI8+5JQ
YRLtFPuK0gbkXHDdxd3EIGbg+df9dcpOV1AshkEuW8AGRiTK1YvbLbqKjJUgtKaH
sy6pfQjQYpeVNnXtfZXcbPtQiSdHsHuuh8qMJEdyhJAf5O8TnuUHLxgHkMXYTGCj
xuL3+AYqusZ6WdCgsnWQpUDBs/uuO99l5hNUxg+PzyS/ChUoW8E087j13fKwjBAA
oq5kJ1yI5ncH9c5tAB2MJP1gEQpDBrGlzO7bKYvW5Y0lWVRR/gZIjXxnjwkbRDQp
4L2jptVIoQfdrnGzX3A5YlAiYdGDnGqzubbsPc5Qqd8oYMwxhYHEnErN0gWAlJJG
exsLMr0BnO1IU1OF/Z6Gx3VMmcyTP2LCn0zucyWDTIJoaPzSEIaBtDalGVYbN0Kw
PMlL5cONMFB02rR2oqF6ve9bCT1XJAIJBYrx8+Xx5XbwVGOBtHMXEy8bVIEjoY8Q
QTiOlS6lOGivbjxf8C2EC0yhZ7L+6yqXOw+et/tMb0fQyGmX2prOs1EWfvqyyAX5
VfxMQ7PulRvlkirY6K8+WbAQSMrE6NsUppLUnMrN+WjRgrXr3N2gA8Gg5e5GOXd2
jpgabv1bOYY=
=cnHn
-----END PGP SIGNATURE-----