Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.3369.2
VMware advisories VMSA-2021-0021, VMSA-2021-0022 and VMSA-2021-0023
14 October 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMware vRealize Operations
VMware vRealize Log Insight
VMware Cloud Foundation
vRealize Suite Lifecycle Manager
VMware vRealize Orchestrator
Publisher: VMware
Operating System: Virtualisation
VMware ESX Server
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-22036 CVE-2021-22035 CVE-2021-22033
Original Bulletin:
https://www.vmware.com/security/advisories/VMSA-2021-0021.html
https://www.vmware.com/security/advisories/VMSA-2021-0022.html
https://www.vmware.com/security/advisories/VMSA-2021-0023.html
Revision History: October 14 2021: Vendor updated VMSA-2021-0023 to add vRealize product
October 13 2021: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Advisory ID: VMSA-2021-0021
CVSSv3 Range: 2.7
Issue Date: 2021-10-12
Updated On: 2021-10-12
CVE(s): CVE-2021-22033
Synopsis: VMware vRealize Operations update addresses SSRF Vulnerability
(CVE-2021-22033)
1. Impacted Products
o VMware vRealize Operations
o VMware Cloud Foundation
o vRealize Suite Lifecycle Manager
2. Introduction
A SSRF vulnerability in VMware vRealize Operations was privately reported to
VMware. Patches are available to address this vulnerability in impacted VMware
products.
3. Server Side Request Forgery in vRealize Operations (CVE-2021-22033)
Description
vRealize Operations contains a Server Side Request Forgery (SSRF)
vulnerability. VMware has evaluated the severity of this issue to be in the
Low severity range with a maximum CVSSv3 base score of 2.7 .
Known Attack Vectors
A malicious actor with administrative access to vRealize Operations can
enumerate internal IPs and internal ports.
Resolution
To remediate CVE-2021-22033 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Acknowledgements
VMware would like to thank AxisX for reporting this vulnerability to us.
Notes
None.
Response Matrix:
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
vRealize 8.x, Any CVE-2021-22033 2.7 low 8.6.0 None None
Operations 7.x
Impacted Product Suites that Deploy Response Matrix Components:
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
VMware
Cloud 4.x, Any CVE-2021-22033 2.7 low Patch None None
Foundation 3.x Pending
(vROps)
vRealize
Suite Patch
Lifecycle 8.x Any CVE-2021-22033 2.7 low Pending None None
Manager
(vROps)
4. References
Remediation and Workarounds:
vRealize Operations
8.6.0: https://docs.vmware.com/en/vRealize-Operations/8.6/rn/
vrealize-operations-86-release-notes/index.html
FIRST CVSSv3 Calculator:
CVE-2021-22033: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:H/UI:N/S:U/C:L/I:N/A:N (2.7)
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22033
5. Change Log
2021-10-12: VMSA-2021-0021
Initial security advisory.
- --------------------------------------------------------------------------------
Advisory ID: VMSA-2021-0022
CVSSv3 Range: 6.5
Issue Date: 2021-10-12
Updated On: 2021-10-12 (Initial Advisory)
CVE(s): CVE-2021-22035
Synopsis: VMware vRealize Log Insight updates address CSV injection
vulnerability (CVE-2021-22035)
1. Impacted Products
o VMware vRealize Log Insight
o VMware Cloud Foundation
o vRealize Suite Lifecycle Manager
2. Introduction
A CSV injection vulnerability in VMware vRealize Log Insight was privately
reported to VMware. Updates are available to remediate this vulnerability in
affected VMware products.
3. VMware vRealize Log Insight CSV injection vulnerability (CVE-2021-22035)
Description
VMware vRealize Log Insight contains a CSV(Comma Separated Value)
injection vulnerability in interactive analytics export function. VMware has
evaluated the severity of this issue to be in the Moderate severity range with
a maximum CVSSv3 base score of 6.5 .
Known Attack Vectors
An authenticated malicious actor with non-administrative privileges may be
able to embed untrusted data prior to exporting a CSV sheet through Log
Insight which could be executed in user's environment.
Resolution
To remediate CVE-2021-22035 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Notes
None.
Acknowledgements
VMware would like to thank Tran Viet Quang of Vantage Point Security for
reporting this vulnerability to us.
Response Matrix
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
VMware
vRealize 8.6 Virtual N/A N/A N/A Unaffected N/A N/A
Log Appliance
Insight
VMware
vRealize 8.4.1, Virtual CVE-2021-22035 6.5 moderate KB85992 None None
Log 8.4.0 Appliance
Insight
VMware
vRealize 8.3 Virtual CVE-2021-22035 6.5 moderate KB85990 None None
Log Appliance
Insight
VMware
vRealize 8.2 Virtual CVE-2021-22035 6.5 moderate KB85989 None None
Log Appliance
Insight
VMware 8.1.1,
vRealize 8.1.0, Virtual CVE-2021-22035 6.5 moderate KB85985 None None
Log 8.0.0 Appliance
Insight and 4.x
Impacted Product Suites that Deploy Response Matrix Components
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
VMware
Cloud 4.x Any CVE-2021-22035 6.5 moderate KB86000 None None
Foundation
(vRLI)
vRealize
Suite
Lifecycle 8.x Any CVE-2021-22035 6.5 moderate KB86000 None None
Manager
(vRLI)
4. References
Fixed Version(s) and Release Notes:
VMware vRealize Log Insight 8.6.0
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VRLI-860&
productId=938&rPId=75107
https://docs.vmware.com/en/vRealize-Log-Insight/8.6/rn/
vRealize-Log-Insight-86.html
VMware vRealize Log Insight
8.4.1: https://kb.vmware.com/s/article/85992
8.3: https://ikb.vmware.com/s/article/85990
8.2: https://kb.vmware.com/s/article/85989
8.1.1: https://kb.vmware.com/s/article/85985
VMware Cloud Foundation (vRLI)
4.x: https://kb.vmware.com/s/article/86000
vRealize Suite Lifecycle Manager (vRLI)
8.x: https://kb.vmware.com/s/article/86000
Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=
CVE-2021-22035
FIRST CVSSv3 Calculator:
CVE-2021-22035: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:L/UI:R/S:C/C:L/I:L/A:L
5. Change Log
2021-10-12 VMSA-2021-0022
Initial security advisory.
- --------------------------------------------------------------------------------
Advisory ID: VMSA-2021-0023.1
CVSSv3 Range: 6.5
Issue Date: 2021-10-12
Updated On: 2021-10-13
CVE(s): CVE-2021-22036
Synopsis: VMware vRealize Orchestrator update addresses open redirect
vulnerability (CVE-2021-22036)
1. Impacted Products
o VMware vRealize Orchestrator
o VMware vRealize Automation
2. Introduction
An open redirect vulnerability in VMware vRealize Orchestrator was privately
reported to VMware. Updates are available to remediate this vulnerability in
affected VMware products.
3. VMware vRealize Orchestrator update addresses open redirect vulnerability
(CVE-2021-22036)
Description
VMware vRealize Orchestrator contains an open redirect vulnerability due to
improper path handling. VMware has evaluated the severity of this issue to be
in the Moderate severity range with a maximum CVSSv3 base score of 6.5 .
Known Attack Vectors
A malicious actor may be able to redirect victim to an attacker controlled
domain due to improper path handling in vRealize Orchestrator leading to
sensitive information disclosure.
Resolution
To remediate CVE-2021-22036 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Notes
VMware vRealize Automation 8.x is affected since it uses embedded
vRealize Orchestrator.
Acknowledgements
VMware would like to thank Marek Takac of Citadelo for reporting this
vulnerability to us.
Response Matrix
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
VMware Virtual
vRealize 8.x Appliance CVE-2021-22036 6.5 moderate 8.6 None None
Orchestrator
VMware
vRealize 8.x Any CVE-2021-22036 6.5 moderate 8.6 None None
Automation
4. References
Fixed Version(s) and Release Notes:
VMware vRealize Orchestrator 8.6.0
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VROVA-860&
productId=1206&rPId=75321
https://docs.vmware.com/en/vRealize-Orchestrator/8.6/rn/
VMware-vRealize-Orchestrator-86-Release-Notes.html
VMware vRealize Automation 8.6.0
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VRA-860&
productId=1206&rPId=75320
https://docs.vmware.com/en/vRealize-Automation/8.6/rn/
vmware-vrealize-automation-86-release-notes/index.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22036
FIRST CVSSv3 Calculator:
CVE-2021-22036: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:R/S:U/C:H/I:N/A:N
5. Change Log
2021-10-12 VMSA-2021-0023
Initial security advisory.
2021-10-13 VMSA-2021-0023.1
Added VMware vRealize Automation 8.x in the Response Matrix section. As it
uses embedded vRealize Orchestrator.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYWd+6+NLKJtyKPYoAQiEVw//UEvyKrVntUiMINrc4KYqKjD5ecLa9xne
GIP/yQHTF7Q0iGBJ46y9gPMwZEqRSdIwFKd7SM492ckf/Nj6W57R/Zg/NR5D/VpL
LERU5aWUn5uoVXb4O5t609DqskMpUQtx9pyP4hiZTH249mtp7o36Lxa5MwUuqqwm
zJBtJCmNmdUSM8PyZoFaG4C3M//uBjX4cq/PWat6dMABNCRz7spbr5vSq5CiBENX
OSrbsPJ0t1gRVJq0N6NYIXsfqkZ5xDyVSlGY39mBqP+8YWuPr/SyMO6120yFqou3
Wtt0N7nvZGmZhRAhb0vs7JS4TbrFnuxeWJr6yzf8qppo6M1L3r9//VCSAEEHQiTV
+PpeVnJcGkaByu26L4g2N5KMeUs/bqb1OR+kiUCWp+MpLVzpJg4R+GsoRSvmq1S5
KBPLynKBTs6VNeweOIVNJZVAgkM5EWdfHlyIN90QrPsCbOy/ht9ql4oSiJBiSF3Q
z1z2BjA/ItZdOR25HvmRVHoVhavkHgQbNV+BoJ5nSBOXwvnVH13htzTqtycbwfBC
3Gsj8Gg66nyy8CAt2ism12/q0RAMJXie5rctOCv8Zg2674Mq3wwoVRDLiU4ep9b+
TNUWqJBlr5WC6cn3UhR0vinXTPhAxlx9cBLwJ9DRxhqBzFE2lANrvkdVVZHxQ4A/
5mH2aj54ZKc=
=D/kN
-----END PGP SIGNATURE-----