-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.2863
       VMSA-2021-0018 - VMware vRealize Operations update addresses
                     multiple security vulnerabilities
                              25 August 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMware vRealize Operations
                   VMware Cloud Foundation
                   vRealize Suite Lifecycle Manager
Publisher:         VMware
Operating System:  Virtualisation
                   VMware
Impact/Access:     Increased Privileges     -- Existing Account      
                   Access Confidential Data -- Remote/Unauthenticated
                   Reduced Security         -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-22027 CVE-2021-22026 CVE-2021-22025
                   CVE-2021-22024 CVE-2021-22023 CVE-2021-22022

Original Bulletin: 
   https://www.vmware.com/security/advisories/VMSA-2021-0018.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Advisory ID: VMSA-2021-0018
CVSSv3 Range: 4.4 - 8.6
Issue Date: 2021-08-24
Updated On: 2021-08-24 (Initial Advisory)
CVE(s): CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025,
CVE-2021-22026, CVE-2021-22027
Synopsis: VMware vRealize Operations updates address multiple security
vulnerabilities (CVE-2021-22022, CVE-2021-22023, CVE-2021-22024,
CVE-2021-22025, CVE-2021-22026, CVE-2021-22027)


1. Impacted Products

  o VMware vRealize Operations
  o VMware Cloud Foundation
  o vRealize Suite Lifecycle Manager


2. Introduction

Multiple vulnerabilities in VMware vRealize Operations were privately reported
to VMware. Patches and Workarounds are available to address these
vulnerabilities in impacted VMware products. 


3a. Arbitrary file read vulnerability in vRealize Operations Manager API
(CVE-2021-22022)

Description

The vRealize Operations Manager API contains an arbitrary file read
vulnerability. VMware has evaluated the severity of this issue to be in the 
Moderate severity range with a maximum CVSSv3 base score of 4.4.

Known Attack Vectors

A malicious actor with administrative access to vRealize Operations Manager API
can read any arbitrary file on server leading to information disclosure.

Resolution

To remediate CVE-2021-22022 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

An FAQ to document general queries was created which is listed in the
'Additional Documentation' column of the 'Response Matrix' below.

Notes

None.

Acknowledgements

VMware would like to thank Egor Dimitrenko of Positive Technologies for
reporting this vulnerability to us.


3b. Insecure direct object reference vulnerability in vRealize Operations
Manager API (CVE-2021-22023)

Description

The vRealize Operations Manager API has insecure object reference
vulnerability. VMware has evaluated the severity of this issue to be in the 
Moderate severity range with a maximum CVSSv3 base score of 6.6.

Known Attack Vectors

A malicious actor with administrative access to vRealize Operations Manager API
may be able to modify other users information leading to an account takeover.

Resolution

To remediate CVE-2021-22023 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

An FAQ to document general queries was created which is listed in the
'Additional Documentation' column of the 'Response Matrix' below.

Notes

None.

Acknowledgements

VMware would like to thank Egor Dimitrenko of Positive Technologies for
reporting this vulnerability to us.


3c. Arbitrary log-file read vulnerability in vRealize Operations Manager API
(CVE-2021-22024)

Description

The vRealize Operations Manager API contains an arbitrary log-file read
vulnerability. VMware has evaluated the severity of this issue to be in the 
Important severity range with a maximum CVSSv3 base score of 7.5.

Known Attack Vectors

An unauthenticated malicious actor with network access to the vRealize
Operations Manager API can read any log file resulting in sensitive information
disclosure.

Resolution

To remediate CVE-2021-22024 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

An FAQ to document general queries was created which is listed in the
'Additional Documentation' column of the 'Response Matrix' below.

Notes

None.

Acknowledgements

VMware would like to thank thiscodecc of MoyunSec V-Lab for reporting this
vulnerability to us.


3d. Broken access control vulnerability in vRealize Operations Manager API
(CVE-2021-22025)

Description

The vRealize Operations Manager API contains a broken access control
vulnerability leading to unauthenticated API access. VMware has evaluated the
severity of this issue to be in the Important severity range with a maximum
CVSSv3 base score of 8.6.

Known Attack Vectors

An unauthenticated malicious actor with network access to the vRealize
Operations Manager API can add new nodes to existing vROps cluster.

Resolution

To remediate CVE-2021-22025 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

An FAQ to document general queries was created which is listed in the
'Additional Documentation' column of the 'Response Matrix' below.

Notes

None.

Acknowledgements

VMware would like to thank thiscodecc of MoyunSec V-Lab for reporting this
vulnerability to us.


3e. Server Side Request Forgery in vRealize Operations Manager API
(CVE-2021-22026, CVE-2021-22027)

Description

The vRealize Operations Manager API contains a Server Side Request Forgery in
multiple end points. VMware has evaluated the severity of this issue to be in
the Important severity range with a maximum CVSSv3 base score of 7.5.

Known Attack Vectors

An unauthenticated malicious actor with network access to the vRealize
Operations Manager API can perform a Server Side Request Forgery attack leading
to information disclosure.

Resolution

To remediate CVE-2021-22026 and CVE-2021-22027 apply the updates listed in the
'Fixed Version' column of the 'Response Matrix' below to impacted deployments.

Workarounds

None.

Additional Documentation

An FAQ to document general queries was created which is listed in the
'Additional Documentation' column of the 'Response Matrix' below.

Notes

None.

Acknowledgements

VMware would like to thank thiscodecc of MoyunSec V-Lab for reporting this
vulnerability to us.


Response Matrix

Product    Version Running CVE Identifier  CVSSv3 Severity  Fixed      Workarounds Additional
                   On                                       Version                Documentation
vRealize
Operations 8.5.0   Any     N/A             N/A    N/A       Unaffected N/A         N/A
Manager
                           CVE-2021-22022,
vRealize                   CVE-2021-22023,
Operations 8.4.0   Any     CVE-2021-22024, 4.4 -  important KB85383    None        FAQ
Manager                    CVE-2021-22025, 8.6
                           CVE-2021-22026,
                           CVE-2021-22027
                           CVE-2021-22022,
vRealize                   CVE-2021-22023,
Operations 8.3.0   Any     CVE-2021-22024, 4.4 -  important KB85382    None        FAQ
Manager                    CVE-2021-22025, 8.6
                           CVE-2021-22026,
                           CVE-2021-22027
                           CVE-2021-22022,
vRealize                   CVE-2021-22023,
Operations 8.2.0   Any     CVE-2021-22024, 4.4 -  important KB85381    None        FAQ
Manager                    CVE-2021-22025, 8.6
                           CVE-2021-22026,
                           CVE-2021-22027
                           CVE-2021-22022,
vRealize                   CVE-2021-22023,
Operations 8.1.1,  Any     CVE-2021-22024, 4.4 -  important KB85380    None        FAQ
Manager    8.1.0           CVE-2021-22025, 8.6
                           CVE-2021-22026,
                           CVE-2021-22027
                           CVE-2021-22022,
vRealize                   CVE-2021-22023,
Operations 8.0.1,  Any     CVE-2021-22024, 4.4 -  important KB85379    None        FAQ
Manager    8.0.0           CVE-2021-22025, 8.6
                           CVE-2021-22026,
                           CVE-2021-22027
                           CVE-2021-22022,
vRealize                   CVE-2021-22023,
Operations 7.5.0   Any     CVE-2021-22024, 4.4 -  important KB85378    None        FAQ
Manager                    CVE-2021-22025, 8.6
                           CVE-2021-22026,
                           CVE-2021-22027

Impacted Product Suites that Deploy Response Matrix Components

Product    Version Running CVE Identifier  CVSSv3 Severity  Fixed   Workarounds Additional
                   On                                       Version             Documentation
                           CVE-2021-22022,
VMware                     CVE-2021-22023,
Cloud      4.x     Any     CVE-2021-22024, 4.4 -  important KB85452 None        FAQ
Foundation                 CVE-2021-22025, 8.6
(vROps)                    CVE-2021-22026,
                           CVE-2021-22027
                           CVE-2021-22022,
VMware                     CVE-2021-22023,
Cloud      3.x     Any     CVE-2021-22024, 4.4 -  important KB85452 None        FAQ
Foundation                 CVE-2021-22025, 8.6
(vROps)                    CVE-2021-22026,
                           CVE-2021-22027
vRealize                   CVE-2021-22022,
Suite                      CVE-2021-22023,
Lifecycle  8.x     Any     CVE-2021-22024, 4.4 -  important KB85452 None        FAQ
Manager                    CVE-2021-22025, 8.6
(vROps)                    CVE-2021-22026,
                           CVE-2021-22027

4. References

Fixed Versions:

vRealize Operations Manager

8.4: https://kb.vmware.com/s/article/85383
8.3: https://kb.vmware.com/s/article/85382
8.2: https://kb.vmware.com/s/article/85381
8.1.1: https://kb.vmware.com/s/article/85380
8.0.1: https://kb.vmware.com/s/article/85379
7.5: https://kb.vmware.com/s/article/85378


VMware Cloud Foundation (vROps)
4.x/3.x: https://kb.vmware.com/s/article/85452


vRealize Suite Lifecycle Manager (vROps)
8.x: https://kb.vmware.com/s/article/85452


Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22022
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22023
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22024
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22025
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22026
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22027


FIRST CVSSv3 Calculator:

CVE-2021-22022 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/
PR:H/UI:N/S:U/C:H/I:N/A:N

CVE-2021-22023 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/
PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2021-22024 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2021-22025 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:N/S:U/C:H/I:L/A:L

CVE-2021-22026 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:N/S:U/C:L/I:N/A:N

CVE-2021-22027 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:N/S:U/C:H/I:N/A:N


5. Change Log

2021-08-24 VMSA-2021-0018
Initial security advisory.


6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 


This Security Advisory is posted to the following lists:  

security-announce@lists.vmware.com  
bugtraq@securityfocus.com  
fulldisclosure@seclists.org 


E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055 


VMware Security Advisories
https://www.vmware.com/security/advisories 


VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html 


VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html 


VMware Security & Compliance Blog  
https://blogs.vmware.com/security 


Twitter
https://twitter.com/VMwareSRC

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYSWlG+NLKJtyKPYoAQjaKQ/7BABxZ+8qrE29jUAnxChnmF4Z2irAQupv
nbiM9hIwIpTLb6kJMolb1kc07/ekyBO1SxL1KKHsDkHtsPqsc/I1z3eyLjn+H4Oo
VLxSd6OUTP47fJWedgVuPIaIeVH8amB1SGsBePaq/yo9BEl4HESn6UfcarKDnyBz
1i5Su+6OROoO1oo/U0O2Au3msbzLe0qPUZhniQWflmYIywcTBnNSck8fsRweFNCH
yKRQiuPhofMZMoOZIcESMpzzmxJmW+k4kDx4UD35thTfTNVTN6KVclF2TblYNsG4
pWI30ZF6EkH+jsVafkhT9sfci3gIthUJkwNEj/5I3yTGV0aGJO6uRbD+N87k2W0K
Zr+rMXrRemytWOxWSbsb6GwgQmiO5yqCwmwFo9y5VgzgbhdifbeiYQuybExGGa1d
Oco4jnck7srAO/lSToNXa0yiSJUaIjuwCuqpgW8yFKWw+Djn1aZk4gst5sr/OuYw
5thNJcQKfsnIg1Py8FUxJTZO9CdAs5/Buiv5Y9d/Vaj5K0TmBnZaMQ72zNBTTOGe
dS7I0tCmnH9xNhUK8Ac3oPV+PbeYDl4y8LYLBtdK3sFKYQ25/5YNg3Xc0L2rp5ZV
qYn3ZzUAM0GjLKqDHsNcUBRzwfXiF1a5KgW6dBlhxKcMLR7YcebzvOSW+4JPQYUM
4U5WdzgfHlQ=
=j0bQ
-----END PGP SIGNATURE-----