Moderate

VMSA-2021-0015
6.8
2021-07-13
2021-07-13 (Initial Advisory)
CVE-2021-22000
VMware ThinApp update addresses a DLL hijacking vulnerability (CVE-2021-22000)

1. Impacted Products
  • VMware ThinApp
2. Introduction

A DLL hijacking vulnerability in VMware ThinApp was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.

3. VMware ThinApp update addresses a DLL hijacking vulnerability (CVE-2021-22000)

Description

VMware ThinApp contains a DLL hijacking vulnerability due to insecure loading of DLLs. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.8.

Known Attack Vectors

A malicious actor with non-administrative privileges may exploit this vulnerability to elevate privileges to administrator level on the Windows operating system having VMware ThinApp installed on it

Resolution

To remediate  CVE-2021-22000, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. 

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank Hou JingYi (@hjy79425575) of Qihoo 360 for reporting this issue to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
VMware ThinApp
5.x
Windows
CVE-2021-22000
6.8
moderate
5.2.10
None
None
4. References

Fixed Version(s) and Release Notes:

https://my.vmware.com/en/web/vmware/downloads/info/slug/desktop_end_user_computing/vmware_thinapp/5_0

https://docs.vmware.com/en/VMware-ThinApp/5.2.10/rn/vmware_thinapp_5210_release_notes/index.html



Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22000


FIRST CVSSv3 Calculator:

https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

5. Change Log

2021-07-13: VMSA-2021-0015
Initial security advisory.

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 

 

This Security Advisory is posted to the following lists:  

security-announce@lists.vmware.com  

bugtraq@securityfocus.com  

fulldisclosure@seclists.org 

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055 

 

VMware Security Advisories

https://www.vmware.com/security/advisories 

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2021 VMware Inc. All rights reserved.