VMSA-2021-0018:VMware vRealize Operations updates address multiple security vulnerabilities
23609
22 August 2021
22 August 2021
CLOSED
HIGH
4.4 - 8.6
CVE-2021-22022,CVE-2021-22023,CVE-2021-22024,CVE-2021-22025,CVE-2021-22026,CVE-2021-22027
1. Impacted Products
- VMware vRealize Operations
- VMware Cloud Foundation (Cloud Foundation)
- vRealize Suite Lifecycle Manager
2. Introduction
Multiple vulnerabilities in VMware vRealize Operations were privately reported to VMware. Patches and Workarounds are available to address these vulnerabilities in impacted VMware products.
3a. Arbitrary file read vulnerability in vRealize Operations Manager API (CVE-2021-22022)
Description
The vRealize Operations Manager API contains an arbitrary file read vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.4.
Known Attack Vectors
A malicious actor with administrative access to vRealize Operations Manager API can read any arbitrary file on server leading to information disclosure.
Resolution
To remediate CVE-2021-22022 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
None.
Additional Documentation
An FAQ to document general queries was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below.
Notes
None.
Acknowledgements
VMware would like to thank Egor Dimitrenko of Positive Technologies for reporting this vulnerability to us.
3b. Insecure direct object reference vulnerability in vRealize Operations Manager API (CVE-2021-22023)
Description
The vRealize Operations Manager API has insecure object reference vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.6.
Known Attack Vectors
A malicious actor with administrative access to vRealize Operations Manager API may be able to modify other users information leading to an account takeover.
Resolution
To remediate CVE-2021-22023 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
None.
Additional Documentation
An FAQ to document general queries was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below.
Notes
None.
Acknowledgements
VMware would like to thank Egor Dimitrenko of Positive Technologies for reporting this vulnerability to us.
3c. Arbitrary log-file read vulnerability in vRealize Operations Manager API (CVE-2021-22024)
Description
The vRealize Operations Manager API contains an arbitrary log-file read vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.
Known Attack Vectors
An unauthenticated malicious actor with network access to the vRealize Operations Manager API can read any log file resulting in sensitive information disclosure.
Resolution
To remediate CVE-2021-22024 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
None.
Additional Documentation
An FAQ to document general queries was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below.
Notes
None.
Acknowledgements
VMware would like to thank thiscodecc of MoyunSec V-Lab for reporting this vulnerability to us.
3d. Broken access control vulnerability in vRealize Operations Manager API (CVE-2021-22025)
Description
The vRealize Operations Manager API contains a broken access control vulnerability leading to unauthenticated API access. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.6.
Known Attack Vectors
An unauthenticated malicious actor with network access to the vRealize Operations Manager API can add new nodes to existing vROps cluster.
Resolution
To remediate CVE-2021-22025 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
None.
Additional Documentation
An FAQ to document general queries was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below.
Notes
None.
Acknowledgements
VMware would like to thank thiscodecc of MoyunSec V-Lab for reporting this vulnerability to us.
3e. Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-22026, CVE-2021-22027)
Description
The vRealize Operations Manager API contains a Server Side Request Forgery in multiple end points. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.
Known Attack Vectors
An unauthenticated malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack leading to information disclosure.
Resolution
To remediate CVE-2021-22026 and CVE-2021-22027 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to impacted deployments.
Workarounds
None.
Additional Documentation
An FAQ to document general queries was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below.
Notes
None.
Acknowledgements
VMware would like to thank thiscodecc of MoyunSec V-Lab for reporting this vulnerability to us.
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| vRealize Operations Manager | 8.5.0 | Any | N/A | N/A | N/A | Unaffected | N/A | N/A |
| vRealize Operations Manager | 8.4.0 | Any | CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027 | 4.4 - 8.6 | important | None | ||
| vRealize Operations Manager | 8.3.0 | Any | CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027 | 4.4 - 8.6 | important | None | ||
| vRealize Operations Manager | 8.2.0 | Any | CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027 | 4.4 - 8.6 | important | None | ||
| vRealize Operations Manager | 8.1.1, 8.1.0 | Any | CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027 | 4.4 - 8.6 | important | None | ||
| vRealize Operations Manager | 8.0.1, 8.0.0 | Any | CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027 | 4.4 - 8.6 | important | None | ||
| vRealize Operations Manager | 7.5.0 | Any | CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027 | 4.4 - 8.6 | important | None |
Impacted Product Suites that Deploy Response Matrix Components
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| VMware Cloud Foundation (vROps) | 4.x | Any | CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027 | 4.4 - 8.6 | important | None | ||
| VMware Cloud Foundation (vROps) | 3.x | Any | CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027 | 4.4 - 8.6 | important | None | ||
| vRealize Suite Lifecycle Manager (vROps) | 8.x | Any | CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027 | 4.4 - 8.6 | important | None |
4. References
Fixed Versions:
vRealize Operations Manager
8.4: https://kb.vmware.com/s/article/85383
8.3: https://kb.vmware.com/s/article/85382
8.2: https://kb.vmware.com/s/article/85381
8.1.1: https://kb.vmware.com/s/article/85380
8.0.1: https://kb.vmware.com/s/article/85379
7.5: https://kb.vmware.com/s/article/85378
VMware Cloud Foundation (vROps)
4.x/3.x: https://kb.vmware.com/s/article/85452
vRealize Suite Lifecycle Manager (vROps)
8.x: https://kb.vmware.com/s/article/85452
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22022
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22023
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22024
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22025
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22026
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22027
FIRST CVSSv3 Calculator:
CVE-2021-22022 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
CVE-2021-22023 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2021-22024 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2021-22025 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
CVE-2021-22026 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2021-22027 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5. Change Log
2021-08-24 VMSA-2021-0018
Initial security advisory.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
E-mail: [email protected]
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2021 VMware Inc. All rights reserved.