VMSA-2021-0004:VMware vRealize Operations updates address Server Side Request Forgery and Arbitrary File Write vulnerabilities
23600
22 August 2021
28 March 2021
CLOSED
CRITICAL
7.2 - 8.6
CVE-2021-21975,CVE-2021-21983
1. Impacted Products
- VMware vRealize Operations
- VMware Cloud Foundation (Cloud Foundation)
- vRealize Suite Lifecycle Manager
2. Introduction
Multiple vulnerabilities in VMware vRealize Operations were privately reported to VMware. Patches and Workarounds are available to address these vulnerabilities in impacted VMware products.
3a. Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975)
Description
The vRealize Operations Manager API contains a Server Side Request Forgery. VMware has evaluated this issue to be of 'Important' severity with a maximum CVSSv3 base score of 8.6.
Known Attack Vectors
A malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.
Resolution
To remediate CVE-2021-21975 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to impacted deployments.
Workarounds
Workarounds for CVE-2021-21975 have been listed in the 'Workarounds' column of the 'Response Matrix' below.
Additional Documentation
A FAQ was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below.
Acknowledgements
VMware would like to thank Egor Dimitrenko of Positive Technologies for reporting this vulnerability to us.
3b. Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983)
Description
The vRealize Operations Manager API contains an arbitrary file write vulnerability. VMware has evaluated this issue to be of 'Important' severity with a maximum CVSSv3 base score of 7.2.
Known Attack Vectors
An authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system.
Resolution
To remediate CVE-2021-21983 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.
Workarounds
Workarounds for CVE-2021-21983 have been listed in the 'Workarounds' column of the 'Response Matrix' below.
Additional Documentation
A FAQ was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below.
Acknowledgements
VMware would like to thank Egor Dimitrenko of Positive Technologies for reporting this vulnerability to us.
Notes
[1] The hotfixes previously mentioned in this advisory were found to only have partially resolved CVE-2021-21975 leaving a residual risk of moderate severity (CVSS = 4.3). Hotfixes created to resolve the vulnerabilities documented in VMSA-2021-0018 also include complete fixes for CVE-2021-21975.
[2] vRealize Operations Manager 8.4.0 shipped with the aforementioned incomplete fixes, and is therefore partially impacted by CVE-2021-21975.
Response Matrix:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| vRealize Operations Manager | 8.5.0 | Any | CVE-2021-21975, CVE-2021-21983 | N/A | N/A | Unaffected | N/A | N/A |
| [2] vRealize Operations Manager | 8.4.0 | Any | CVE-2021-21975 | moderate | None | None | ||
| [2] vRealize Operations Manager | 8.4.0 | Any | CVE-2021-21983 | N/A | N/A | Unaffected | N/A | N/A |
| [1] vRealize Operations Manager | 8.3.0 | Any | CVE-2021-21975, CVE-2021-21983 | 7.2 - 8.6 | critical | |||
| [1] vRealize Operations Manager | 8.2.0 | Any | CVE-2021-21975, CVE-2021-21983 | 7.2 - 8.6 | critical | |||
| [1] vRealize Operations Manager | 8.1.1, 8.1.0 | Any | CVE-2021-21975, CVE-2021-21983 | 7.2 - 8.6 | critical | |||
| [1] vRealize Operations Manager | 8.0.1, 8.0.0 | Any | CVE-2021-21975, CVE-2021-21983 | 7.2 - 8.6 | critical | |||
| [1] vRealize Operations Manager | 7.5.0 | Any | CVE-2021-21975, CVE-2021-21983 | 7.2 - 8.6 | critical | |||
| vRealize Operations Manager | 7.0.0 | Any | CVE-2021-21975, CVE-2021-21983 | 7.2 - 8.6 | critical | No patch planned | ||
| vRealize Operations Manager | 6.7.0 | Any | CVE-2021-21975, CVE-2021-21983 | 7.2 - 8.6 | critical | No patch planned | ||
| vRealize Operations Manager | 6.6.1, 6.6.0 | Any | N/A | N/A | N/A | Unaffected | N/A | N/A |
Impacted Product Suites that Deploy Response Matrix Components:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| VMware Cloud Foundation (vROps) | 4.x | Any | CVE-2021-21975, CVE-2021-21983 | 7.2 - 8.6 | critical | See 'Response Matrix' workaround column above | ||
| VMware Cloud Foundation (vROps) | 3.x | Any | CVE-2021-21975, CVE-2021-21983 | 7.2 - 8.6 | critical | See 'Response Matrix' workaround column above | ||
| vRealize Suite Lifecycle Manager (vROps) | 8.x | Any | CVE-2021-21975, CVE-2021-21983 | 7.2 - 8.6 | critical | See 'Response Matrix' workaround column above |
4. References
Remediation and Workarounds:
vRealize Operations Manager
8.3.0: https://kb.vmware.com/s/article/83210
8.2.0: https://kb.vmware.com/s/article/83095
8.1.1: https://kb.vmware.com/s/article/83094
8.0.1: https://kb.vmware.com/s/article/83093
7.5.0: https://kb.vmware.com/s/article/82367
7.0.0: https://kb.vmware.com/s/article/83287
VMware Cloud Foundation (vROps)
4.x/3.x: https://kb.vmware.com/s/article/83260
vRealize Suite Lifecycle Manager (vROps)
8.x: https://kb.vmware.com/s/article/83260
FIRST CVSSv3 Calculator:
CVE-2021-21975 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVE-2021-21983 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21975
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21983
5. Change Log
2021-03-30: VMSA-2021-0004
Initial security advisory.
2021-03-31: VMSA-2021-0004.1
Updated advisory with information on vROps 7.0.0 workarounds.
2021-08-24: VMSA-2021-0004.2
Updated advisory with information that fixes for CVE-2021-21975 were incomplete.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
E-mail: [email protected]
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2021 VMware Inc. All rights reserved.