Important

VMSA-2021-0018
4.4 - 8.6
2021-08-24
2021-08-24 (Initial Advisory)
CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027
VMware vRealize Operations updates address multiple security vulnerabilities (CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027)

Share this page on social media

Sign up for Security Advisories

1. Impacted Products
  • VMware vRealize Operations
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager
2. Introduction

Multiple vulnerabilities in VMware vRealize Operations were privately reported to VMware. Patches and Workarounds are available to address these vulnerabilities in impacted VMware products. 

3a. Arbitrary file read vulnerability in vRealize Operations Manager API (CVE-2021-22022)

Description

The vRealize Operations Manager API contains an arbitrary file read vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.4.

Known Attack Vectors

A malicious actor with administrative access to vRealize Operations Manager API can read any arbitrary file on server leading to information disclosure.

Resolution

To remediate CVE-2021-22022 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

An FAQ to document general queries was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below.

Notes

None.

Acknowledgements

VMware would like to thank Egor Dimitrenko of Positive Technologies for reporting this vulnerability to us.

3b. Insecure direct object reference vulnerability in vRealize Operations Manager API (CVE-2021-22023)

Description

The vRealize Operations Manager API has insecure object reference vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.6.

Known Attack Vectors

A malicious actor with administrative access to vRealize Operations Manager API may be able to modify other users information leading to an account takeover.

Resolution

To remediate CVE-2021-22023 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

An FAQ to document general queries was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below.

Notes

None.

Acknowledgements

VMware would like to thank Egor Dimitrenko of Positive Technologies for reporting this vulnerability to us.

3c. Arbitrary log-file read vulnerability in vRealize Operations Manager API (CVE-2021-22024)

Description

The vRealize Operations Manager API contains an arbitrary log-file read vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

Known Attack Vectors

An unauthenticated malicious actor with network access to the vRealize Operations Manager API can read any log file resulting in sensitive information disclosure.

Resolution

To remediate CVE-2021-22024 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

An FAQ to document general queries was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below.

Notes

None.

Acknowledgements

VMware would like to thank thiscodecc of MoyunSec V-Lab for reporting this vulnerability to us.

3d. Broken access control vulnerability in vRealize Operations Manager API (CVE-2021-22025)

Description

The vRealize Operations Manager API contains a broken access control vulnerability leading to unauthenticated API access. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.6.

Known Attack Vectors

An unauthenticated malicious actor with network access to the vRealize Operations Manager API can add new nodes to existing vROps cluster.

Resolution

To remediate CVE-2021-22025 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

An FAQ to document general queries was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below.

Notes

None.

Acknowledgements

VMware would like to thank thiscodecc of MoyunSec V-Lab for reporting this vulnerability to us.

3e. Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-22026, CVE-2021-22027)

Description

The vRealize Operations Manager API contains a Server Side Request Forgery in multiple end points. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

Known Attack Vectors

An unauthenticated malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack leading to information disclosure.

Resolution

To remediate CVE-2021-22026 and CVE-2021-22027 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to impacted deployments.

Workarounds

None.

Additional Documentation

An FAQ to document general queries was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below.

Notes

None.

Acknowledgements

VMware would like to thank thiscodecc of MoyunSec V-Lab for reporting this vulnerability to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
vRealize Operations Manager
8.5.0
Any
N/A
N/A
N/A
Unaffected
N/A
N/A
vRealize Operations Manager
8.4.0
Any
CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027
4.4 - 8.6
important
None
FAQ
vRealize Operations Manager
8.3.0
Any
CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027
4.4 - 8.6
important
None
FAQ
vRealize Operations Manager
8.2.0
Any
CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027
4.4 - 8.6
important
None
FAQ
vRealize Operations Manager
8.1.1, 8.1.0
Any
CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027
4.4 - 8.6
important
None
FAQ
vRealize Operations Manager
8.0.1, 8.0.0
Any
CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027
4.4 - 8.6
important
None
FAQ
vRealize Operations Manager
7.5.0
Any
CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027
4.4 - 8.6
important
None
FAQ

Impacted Product Suites that Deploy Response Matrix Components

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
VMware Cloud Foundation (vROps)
4.x
Any
CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027
4.4 - 8.6
important
None
FAQ
VMware Cloud Foundation (vROps)
3.x
Any
CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027
4.4 - 8.6
important
None
FAQ
vRealize Suite Lifecycle Manager (vROps)
8.x
Any
CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027
4.4 - 8.6
important
None
FAQ
4. References

Fixed Versions:

vRealize Operations Manager

8.4: https://kb.vmware.com/s/article/85383

8.3: https://kb.vmware.com/s/article/85382

8.2: https://kb.vmware.com/s/article/85381

8.1.1: https://kb.vmware.com/s/article/85380

8.0.1: https://kb.vmware.com/s/article/85379

7.5: https://kb.vmware.com/s/article/85378

 

VMware Cloud Foundation (vROps)

4.x/3.x: https://kb.vmware.com/s/article/85452

 

vRealize Suite Lifecycle Manager (vROps)

8.x: https://kb.vmware.com/s/article/85452

 

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22022

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22023

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22024

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22025

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22026

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22027

 

FIRST CVSSv3 Calculator:

CVE-2021-22022 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

CVE-2021-22023 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2021-22024 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2021-22025 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CVE-2021-22026 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE-2021-22027 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5. Change Log

2021-08-24 VMSA-2021-0018
Initial security advisory.

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 

 

This Security Advisory is posted to the following lists:  

security-announce@lists.vmware.com  

bugtraq@securityfocus.com  

fulldisclosure@seclists.org 

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055 

 

VMware Security Advisories

https://www.vmware.com/security/advisories 

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2021 VMware Inc. All rights reserved.