Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2863 VMSA-2021-0018 - VMware vRealize Operations update addresses multiple security vulnerabilities 25 August 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware vRealize Operations VMware Cloud Foundation vRealize Suite Lifecycle Manager Publisher: VMware Operating System: Virtualisation VMware Impact/Access: Increased Privileges -- Existing Account Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-22027 CVE-2021-22026 CVE-2021-22025 CVE-2021-22024 CVE-2021-22023 CVE-2021-22022 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2021-0018.html - --------------------------BEGIN INCLUDED TEXT-------------------- Advisory ID: VMSA-2021-0018 CVSSv3 Range: 4.4 - 8.6 Issue Date: 2021-08-24 Updated On: 2021-08-24 (Initial Advisory) CVE(s): CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027 Synopsis: VMware vRealize Operations updates address multiple security vulnerabilities (CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027) 1. Impacted Products o VMware vRealize Operations o VMware Cloud Foundation o vRealize Suite Lifecycle Manager 2. Introduction Multiple vulnerabilities in VMware vRealize Operations were privately reported to VMware. Patches and Workarounds are available to address these vulnerabilities in impacted VMware products. 3a. Arbitrary file read vulnerability in vRealize Operations Manager API (CVE-2021-22022) Description The vRealize Operations Manager API contains an arbitrary file read vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.4. Known Attack Vectors A malicious actor with administrative access to vRealize Operations Manager API can read any arbitrary file on server leading to information disclosure. Resolution To remediate CVE-2021-22022 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation An FAQ to document general queries was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below. Notes None. Acknowledgements VMware would like to thank Egor Dimitrenko of Positive Technologies for reporting this vulnerability to us. 3b. Insecure direct object reference vulnerability in vRealize Operations Manager API (CVE-2021-22023) Description The vRealize Operations Manager API has insecure object reference vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.6. Known Attack Vectors A malicious actor with administrative access to vRealize Operations Manager API may be able to modify other users information leading to an account takeover. Resolution To remediate CVE-2021-22023 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation An FAQ to document general queries was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below. Notes None. Acknowledgements VMware would like to thank Egor Dimitrenko of Positive Technologies for reporting this vulnerability to us. 3c. Arbitrary log-file read vulnerability in vRealize Operations Manager API (CVE-2021-22024) Description The vRealize Operations Manager API contains an arbitrary log-file read vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5. Known Attack Vectors An unauthenticated malicious actor with network access to the vRealize Operations Manager API can read any log file resulting in sensitive information disclosure. Resolution To remediate CVE-2021-22024 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation An FAQ to document general queries was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below. Notes None. Acknowledgements VMware would like to thank thiscodecc of MoyunSec V-Lab for reporting this vulnerability to us. 3d. Broken access control vulnerability in vRealize Operations Manager API (CVE-2021-22025) Description The vRealize Operations Manager API contains a broken access control vulnerability leading to unauthenticated API access. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.6. Known Attack Vectors An unauthenticated malicious actor with network access to the vRealize Operations Manager API can add new nodes to existing vROps cluster. Resolution To remediate CVE-2021-22025 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation An FAQ to document general queries was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below. Notes None. Acknowledgements VMware would like to thank thiscodecc of MoyunSec V-Lab for reporting this vulnerability to us. 3e. Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-22026, CVE-2021-22027) Description The vRealize Operations Manager API contains a Server Side Request Forgery in multiple end points. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5. Known Attack Vectors An unauthenticated malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack leading to information disclosure. Resolution To remediate CVE-2021-22026 and CVE-2021-22027 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to impacted deployments. Workarounds None. Additional Documentation An FAQ to document general queries was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below. Notes None. Acknowledgements VMware would like to thank thiscodecc of MoyunSec V-Lab for reporting this vulnerability to us. Response Matrix Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation vRealize Operations 8.5.0 Any N/A N/A N/A Unaffected N/A N/A Manager CVE-2021-22022, vRealize CVE-2021-22023, Operations 8.4.0 Any CVE-2021-22024, 4.4 - important KB85383 None FAQ Manager CVE-2021-22025, 8.6 CVE-2021-22026, CVE-2021-22027 CVE-2021-22022, vRealize CVE-2021-22023, Operations 8.3.0 Any CVE-2021-22024, 4.4 - important KB85382 None FAQ Manager CVE-2021-22025, 8.6 CVE-2021-22026, CVE-2021-22027 CVE-2021-22022, vRealize CVE-2021-22023, Operations 8.2.0 Any CVE-2021-22024, 4.4 - important KB85381 None FAQ Manager CVE-2021-22025, 8.6 CVE-2021-22026, CVE-2021-22027 CVE-2021-22022, vRealize CVE-2021-22023, Operations 8.1.1, Any CVE-2021-22024, 4.4 - important KB85380 None FAQ Manager 8.1.0 CVE-2021-22025, 8.6 CVE-2021-22026, CVE-2021-22027 CVE-2021-22022, vRealize CVE-2021-22023, Operations 8.0.1, Any CVE-2021-22024, 4.4 - important KB85379 None FAQ Manager 8.0.0 CVE-2021-22025, 8.6 CVE-2021-22026, CVE-2021-22027 CVE-2021-22022, vRealize CVE-2021-22023, Operations 7.5.0 Any CVE-2021-22024, 4.4 - important KB85378 None FAQ Manager CVE-2021-22025, 8.6 CVE-2021-22026, CVE-2021-22027 Impacted Product Suites that Deploy Response Matrix Components Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation CVE-2021-22022, VMware CVE-2021-22023, Cloud 4.x Any CVE-2021-22024, 4.4 - important KB85452 None FAQ Foundation CVE-2021-22025, 8.6 (vROps) CVE-2021-22026, CVE-2021-22027 CVE-2021-22022, VMware CVE-2021-22023, Cloud 3.x Any CVE-2021-22024, 4.4 - important KB85452 None FAQ Foundation CVE-2021-22025, 8.6 (vROps) CVE-2021-22026, CVE-2021-22027 vRealize CVE-2021-22022, Suite CVE-2021-22023, Lifecycle 8.x Any CVE-2021-22024, 4.4 - important KB85452 None FAQ Manager CVE-2021-22025, 8.6 (vROps) CVE-2021-22026, CVE-2021-22027 4. References Fixed Versions: vRealize Operations Manager 8.4: https://kb.vmware.com/s/article/85383 8.3: https://kb.vmware.com/s/article/85382 8.2: https://kb.vmware.com/s/article/85381 8.1.1: https://kb.vmware.com/s/article/85380 8.0.1: https://kb.vmware.com/s/article/85379 7.5: https://kb.vmware.com/s/article/85378 VMware Cloud Foundation (vROps) 4.x/3.x: https://kb.vmware.com/s/article/85452 vRealize Suite Lifecycle Manager (vROps) 8.x: https://kb.vmware.com/s/article/85452 Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22022 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22023 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22024 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22025 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22026 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22027 FIRST CVSSv3 Calculator: CVE-2021-22022 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/ PR:H/UI:N/S:U/C:H/I:N/A:N CVE-2021-22023 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/ PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2021-22024 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/ PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-22025 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/ PR:N/UI:N/S:U/C:H/I:L/A:L CVE-2021-22026 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/ PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2021-22027 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/ PR:N/UI:N/S:U/C:H/I:N/A:N 5. Change Log 2021-08-24 VMSA-2021-0018 Initial security advisory. 6. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYSWlG+NLKJtyKPYoAQjaKQ/7BABxZ+8qrE29jUAnxChnmF4Z2irAQupv nbiM9hIwIpTLb6kJMolb1kc07/ekyBO1SxL1KKHsDkHtsPqsc/I1z3eyLjn+H4Oo VLxSd6OUTP47fJWedgVuPIaIeVH8amB1SGsBePaq/yo9BEl4HESn6UfcarKDnyBz 1i5Su+6OROoO1oo/U0O2Au3msbzLe0qPUZhniQWflmYIywcTBnNSck8fsRweFNCH yKRQiuPhofMZMoOZIcESMpzzmxJmW+k4kDx4UD35thTfTNVTN6KVclF2TblYNsG4 pWI30ZF6EkH+jsVafkhT9sfci3gIthUJkwNEj/5I3yTGV0aGJO6uRbD+N87k2W0K Zr+rMXrRemytWOxWSbsb6GwgQmiO5yqCwmwFo9y5VgzgbhdifbeiYQuybExGGa1d Oco4jnck7srAO/lSToNXa0yiSJUaIjuwCuqpgW8yFKWw+Djn1aZk4gst5sr/OuYw 5thNJcQKfsnIg1Py8FUxJTZO9CdAs5/Buiv5Y9d/Vaj5K0TmBnZaMQ72zNBTTOGe dS7I0tCmnH9xNhUK8Ac3oPV+PbeYDl4y8LYLBtdK3sFKYQ25/5YNg3Xc0L2rp5ZV qYn3ZzUAM0GjLKqDHsNcUBRzwfXiF1a5KgW6dBlhxKcMLR7YcebzvOSW+4JPQYUM 4U5WdzgfHlQ= =j0bQ -----END PGP SIGNATURE-----