Important
1. Impacted Products
- vSphere Replication
2. Introduction
A command injection vulnerability in vSphere Replication was privately reported to VMware . Updates are available to address this vulnerability in the affected product.
3. Authenticated Command Injection Vulnerability in vSphere Replication(CVE-2021-21976)
Description
vSphere Replication contains a post-authentication command injection vulnerability in "Startup Configuration" page. VMware has evaluated this issue to be 'Important' severity with a maximum CVSSv3 base score of 7.2.
Known Attack Vectors
A malicious actor with administrative access in vSphere Replication can execute shell commands on the underlying system. Successful exploitation of this issue may allow authenticated admin user to perform a remote code execution.
Resolution
To remediate CVE-2021-21976, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Notes
None.
Acknowledgements
VMware would like to thank Egor Dimitrenko from Positive Technologies for reporting this issue to us.
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
|
vSphere Replication
|
8.3.x
|
Any
|
CVE-2021-21976
|
important
|
8.3.1.2
|
None
|
None
|
|
|
vSphere Replication
|
8.2.x
|
Any
|
CVE-2021-21976
|
important
|
8.2.1.1
|
None
|
None
|
|
|
vSphere Replication
|
8.1.x
|
Any
|
CVE-2021-21976
|
important
|
8.1.2.3
|
None
|
None
|
|
|
vSphere Replication
|
6.5.x
|
Any
|
CVE-2021-21976
|
important
|
6.5.1.5
|
None
|
None
|
4. References
vSphere Replication 8.3.1.2
Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VR8312&productId=742
https://docs.vmware.com/en/vSphere-Replication/8.3/rn/vsphere-replication-8312-release-notes.html
vSphere Replication 8.2.1.1
Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VR8211&productId=742
https://docs.vmware.com/en/vSphere-Replication/8.2/rn/vsphere-replication-821-release-notes.html
vSphere Replication 8.1.2.3
Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VR8123&productId=742
https://docs.vmware.com/en/vSphere-Replication/8.1/rn/vsphere-replication-812-release-notes.html
vSphere Replication 6.5.1.5
Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?productId=614&downloadGroup=VR6515
https://docs.vmware.com/en/vSphere-Replication/6.5/rn/vsphere-replication-651-release-notes.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21976
FIRST CVSSv3 Calculator:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
5. Change Log
2021-02-11 VMSA-2021-0001
Initial security advisory.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
E-mail: security@vmware.com
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2020 VMware Inc. All rights reserved.