Critical

VMSA-2021-0012
9.4
2021-06-22
2021-06-22 (Initial Advisory)
CVE-2021-21998
VMware Carbon Black App Control update addresses authentication bypass (CVE-2021-21998)

Share this page on social media

Sign up for Security Advisories

1. Impacted Products
  • VMware Carbon Black App Control (AppC)
2. Introduction

An authentication bypass in the VMware Carbon Black App Control management server was privately reported to VMware. Updates are available to remediate this vulnerability in the affected VMware product.

3. VMware Carbon Black App Control updates address authentication bypass (CVE-2021-21998)

Description

The VMware Carbon Black App Control management server has an authentication bypass. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.4.

Known Attack Vectors

A malicious actor with network access to the VMware Carbon Black App Control management server might be able to obtain administrative access to the product without the need to authenticate.

Resolution

To remediate CVE-2021-21998, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Notes

Login to the Carbon Black UEX Portal is required to download fixes.

Acknowledgements

None

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
AppC
8.6.x
Windows
CVE-2021-21998
9.4
critical
None
None
AppC
8.5.x
Windows
CVE-2021-21998
9.4
critical
None
None
AppC
8.1.x, 8.0.x
Windows
CVE-2021-21998
9.4
critical
None
None
4. References
5. Change Log

2021-06-22 VMSA-2021-0012
Initial security advisory.

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 

 

This Security Advisory is posted to the following lists:  

security-announce@lists.vmware.com

 

E-mail: security@vmware.com

 

PGP key at:

https://kb.vmware.com/kb/1055 

 

VMware Security Advisories

https://www.vmware.com/security/advisories 

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2021 VMware Inc. All rights reserved.