Operating System:

[Virtual]

Published:

14 October 2021

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2021.3369.2
    VMware advisories VMSA-2021-0021, VMSA-2021-0022 and VMSA-2021-0023
                              14 October 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMware vRealize Operations
                   VMware vRealize Log Insight
                   VMware Cloud Foundation
                   vRealize Suite Lifecycle Manager
                   VMware vRealize Orchestrator
Publisher:         VMware
Operating System:  Virtualisation
                   VMware ESX Server
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account            
                   Access Confidential Data        -- Remote with User Interaction
                   Reduced Security                -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-22036 CVE-2021-22035 CVE-2021-22033

Original Bulletin: 
   https://www.vmware.com/security/advisories/VMSA-2021-0021.html
   https://www.vmware.com/security/advisories/VMSA-2021-0022.html
   https://www.vmware.com/security/advisories/VMSA-2021-0023.html

Revision History:  October 14 2021: Vendor updated VMSA-2021-0023 to add vRealize product
                   October 13 2021: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Advisory ID: VMSA-2021-0021
CVSSv3 Range: 2.7
Issue Date: 2021-10-12
Updated On: 2021-10-12
CVE(s): CVE-2021-22033
Synopsis: VMware vRealize Operations update addresses SSRF Vulnerability
(CVE-2021-22033)

1. Impacted Products

  o VMware vRealize Operations
  o VMware Cloud Foundation
  o vRealize Suite Lifecycle Manager

2. Introduction

A SSRF vulnerability in VMware vRealize Operations was privately reported to
VMware. Patches are available to address this vulnerability in impacted VMware
products.

3. Server Side Request Forgery in vRealize Operations (CVE-2021-22033)

Description

vRealize Operations contains a Server Side Request Forgery (SSRF)
vulnerability. VMware has evaluated the severity of this issue to be in the
Low severity range with a maximum CVSSv3 base score of 2.7 .

Known Attack Vectors

A malicious actor with administrative access to vRealize Operations can
enumerate internal IPs and internal ports.

Resolution

To remediate CVE-2021-22033 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.

Workarounds
None.

Additional Documentation
None.

Acknowledgements
VMware would like to thank AxisX for reporting this vulnerability to us.

Notes
None.


Response Matrix:

Product    Version Running CVE Identifier CVSSv3 Severity Fixed   Workarounds Additional
                   On                                     Version             Documentation
vRealize   8.x,    Any     CVE-2021-22033 2.7    low      8.6.0   None        None
Operations 7.x

Impacted Product Suites that Deploy Response Matrix Components:

Product    Version Running CVE Identifier CVSSv3 Severity Fixed   Workarounds Additional
                   On                                     Version             Documentation
VMware
Cloud      4.x,    Any     CVE-2021-22033 2.7    low      Patch   None        None
Foundation 3.x                                            Pending
(vROps)
vRealize
Suite                                                     Patch
Lifecycle  8.x     Any     CVE-2021-22033 2.7    low      Pending None        None
Manager
(vROps)


4. References

Remediation and Workarounds:

vRealize Operations
8.6.0: https://docs.vmware.com/en/vRealize-Operations/8.6/rn/
vrealize-operations-86-release-notes/index.html

FIRST CVSSv3 Calculator:
CVE-2021-22033: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:H/UI:N/S:U/C:L/I:N/A:N (2.7)

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22033

5. Change Log

2021-10-12: VMSA-2021-0021
Initial security advisory.


- --------------------------------------------------------------------------------


Advisory ID: VMSA-2021-0022
CVSSv3 Range: 6.5
Issue Date: 2021-10-12
Updated On: 2021-10-12 (Initial Advisory)
CVE(s): CVE-2021-22035
Synopsis: VMware vRealize Log Insight updates address CSV injection
vulnerability (CVE-2021-22035)

1. Impacted Products

  o VMware vRealize Log Insight
  o VMware Cloud Foundation
  o vRealize Suite Lifecycle Manager

2. Introduction

A CSV injection vulnerability in VMware vRealize Log Insight was privately
reported to VMware. Updates are available to remediate this vulnerability in
affected VMware products.

3. VMware vRealize Log Insight CSV injection vulnerability (CVE-2021-22035)

Description

VMware vRealize Log Insight contains a CSV(Comma Separated Value)
injection vulnerability in interactive analytics export function. VMware has
evaluated the severity of this issue to be in the Moderate severity range with
a maximum CVSSv3 base score of 6.5 .

Known Attack Vectors

An authenticated malicious actor with non-administrative privileges may be
able to embed untrusted data prior to exporting a CSV sheet through Log
Insight which could be executed in user's environment.

Resolution

To remediate CVE-2021-22035 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.

Workarounds
None.

Additional Documentation
None.

Notes
None.

Acknowledgements

VMware would like to thank Tran Viet Quang of Vantage Point Security for
reporting this vulnerability to us.


Response Matrix

Product  Version Running   CVE Identifier CVSSv3 Severity Fixed      Workarounds Additional
                 On                                       Version                Documentation
VMware
vRealize 8.6     Virtual   N/A            N/A    N/A      Unaffected N/A         N/A
Log              Appliance
Insight
VMware
vRealize 8.4.1,  Virtual   CVE-2021-22035 6.5    moderate KB85992    None        None
Log      8.4.0   Appliance
Insight
VMware
vRealize 8.3     Virtual   CVE-2021-22035 6.5    moderate KB85990    None        None
Log              Appliance
Insight
VMware
vRealize 8.2     Virtual   CVE-2021-22035 6.5    moderate KB85989    None        None
Log              Appliance
Insight
VMware   8.1.1,
vRealize 8.1.0,  Virtual   CVE-2021-22035 6.5    moderate KB85985    None        None
Log      8.0.0   Appliance
Insight  and 4.x

Impacted Product Suites that Deploy Response Matrix Components

Product    Version Running CVE Identifier CVSSv3 Severity Fixed   Workarounds Additional
                   On                                     Version             Documentation
VMware
Cloud      4.x     Any     CVE-2021-22035 6.5    moderate KB86000 None        None
Foundation
(vRLI)
vRealize
Suite
Lifecycle  8.x     Any     CVE-2021-22035 6.5    moderate KB86000 None        None
Manager
(vRLI)


4. References

Fixed Version(s) and Release Notes:

VMware vRealize Log Insight 8.6.0

Downloads and Documentation:

https://customerconnect.vmware.com/downloads/details?downloadGroup=VRLI-860&
productId=938&rPId=75107

https://docs.vmware.com/en/vRealize-Log-Insight/8.6/rn/
vRealize-Log-Insight-86.html

VMware vRealize Log Insight

8.4.1: https://kb.vmware.com/s/article/85992

8.3: https://ikb.vmware.com/s/article/85990

8.2: https://kb.vmware.com/s/article/85989

8.1.1: https://kb.vmware.com/s/article/85985

VMware Cloud Foundation (vRLI)

4.x: https://kb.vmware.com/s/article/86000

vRealize Suite Lifecycle Manager (vRLI)

8.x: https://kb.vmware.com/s/article/86000

Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=
CVE-2021-22035

FIRST CVSSv3 Calculator:
CVE-2021-22035: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:L/UI:R/S:C/C:L/I:L/A:L

5. Change Log

2021-10-12 VMSA-2021-0022
Initial security advisory.


- --------------------------------------------------------------------------------


Advisory ID: VMSA-2021-0023.1
CVSSv3 Range: 6.5
Issue Date: 2021-10-12
Updated On: 2021-10-13
CVE(s): CVE-2021-22036
Synopsis: VMware vRealize Orchestrator update addresses open redirect
vulnerability (CVE-2021-22036)

1. Impacted Products

  o VMware vRealize Orchestrator
  o VMware vRealize Automation

2. Introduction

An open redirect vulnerability in VMware vRealize Orchestrator was privately
reported to VMware. Updates are available to remediate this vulnerability in
affected VMware products.

3. VMware vRealize Orchestrator update addresses open redirect vulnerability
(CVE-2021-22036)

Description

VMware vRealize Orchestrator contains an open redirect vulnerability due to
improper path handling. VMware has evaluated the severity of this issue to be
in the Moderate severity range with a maximum CVSSv3 base score of 6.5 .

Known Attack Vectors

A malicious actor may be able to redirect victim to an attacker controlled
domain due to improper path handling in vRealize Orchestrator leading to
sensitive information disclosure.

Resolution

To remediate CVE-2021-22036 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.

Workarounds
None.

Additional Documentation
None.

Notes

VMware vRealize Automation 8.x is affected since it uses embedded
vRealize Orchestrator.

Acknowledgements

VMware would like to thank Marek Takac of Citadelo for reporting this
vulnerability to us.


Response Matrix

Product      Version Running   CVE Identifier CVSSv3 Severity Fixed   Workarounds Additional
                     On                                       Version             Documentation
VMware               Virtual
vRealize     8.x     Appliance CVE-2021-22036 6.5    moderate 8.6     None        None
Orchestrator
VMware
vRealize     8.x     Any       CVE-2021-22036 6.5    moderate 8.6     None        None
Automation


4. References

Fixed Version(s) and Release Notes:

VMware vRealize Orchestrator 8.6.0

Downloads and Documentation:

https://customerconnect.vmware.com/downloads/details?downloadGroup=VROVA-860&
productId=1206&rPId=75321

https://docs.vmware.com/en/vRealize-Orchestrator/8.6/rn/
VMware-vRealize-Orchestrator-86-Release-Notes.html

VMware vRealize Automation 8.6.0

Downloads and Documentation:

https://customerconnect.vmware.com/downloads/details?downloadGroup=VRA-860&
productId=1206&rPId=75320

https://docs.vmware.com/en/vRealize-Automation/8.6/rn/
vmware-vrealize-automation-86-release-notes/index.html

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22036

FIRST CVSSv3 Calculator:
CVE-2021-22036: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:R/S:U/C:H/I:N/A:N

5. Change Log

2021-10-12 VMSA-2021-0023
Initial security advisory.

2021-10-13 VMSA-2021-0023.1
Added VMware vRealize Automation 8.x in the Response Matrix section. As it
uses embedded vRealize Orchestrator.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYWd+6+NLKJtyKPYoAQiEVw//UEvyKrVntUiMINrc4KYqKjD5ecLa9xne
GIP/yQHTF7Q0iGBJ46y9gPMwZEqRSdIwFKd7SM492ckf/Nj6W57R/Zg/NR5D/VpL
LERU5aWUn5uoVXb4O5t609DqskMpUQtx9pyP4hiZTH249mtp7o36Lxa5MwUuqqwm
zJBtJCmNmdUSM8PyZoFaG4C3M//uBjX4cq/PWat6dMABNCRz7spbr5vSq5CiBENX
OSrbsPJ0t1gRVJq0N6NYIXsfqkZ5xDyVSlGY39mBqP+8YWuPr/SyMO6120yFqou3
Wtt0N7nvZGmZhRAhb0vs7JS4TbrFnuxeWJr6yzf8qppo6M1L3r9//VCSAEEHQiTV
+PpeVnJcGkaByu26L4g2N5KMeUs/bqb1OR+kiUCWp+MpLVzpJg4R+GsoRSvmq1S5
KBPLynKBTs6VNeweOIVNJZVAgkM5EWdfHlyIN90QrPsCbOy/ht9ql4oSiJBiSF3Q
z1z2BjA/ItZdOR25HvmRVHoVhavkHgQbNV+BoJ5nSBOXwvnVH13htzTqtycbwfBC
3Gsj8Gg66nyy8CAt2ism12/q0RAMJXie5rctOCv8Zg2674Mq3wwoVRDLiU4ep9b+
TNUWqJBlr5WC6cn3UhR0vinXTPhAxlx9cBLwJ9DRxhqBzFE2lANrvkdVVZHxQ4A/
5mH2aj54ZKc=
=D/kN
-----END PGP SIGNATURE-----