1. Impacted Products
- VMware vRealize Operations
- VMware Cloud Foundation (Cloud Foundation)
- vRealize Suite Lifecycle Manager
A SSRF vulnerability in VMware vRealize Operations was privately reported to VMware. Patches are available to address this vulnerability in impacted VMware products.
3. Server Side Request Forgery in vRealize Operations (CVE-2021-22033)
Known Attack Vectors
A malicious actor with administrative access to vRealize Operations can enumerate internal IPs and internal ports.
To remediate CVE-2021-22033 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
VMware would like to thank AxisX for reporting this vulnerability to us.
Impacted Product Suites that Deploy Response Matrix Components:
Remediation and Workarounds:
vRealize Suite Lifecycle Manager
FIRST CVSSv3 Calculator:
CVE-2021-22033: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N (2.7)
Mitre CVE Dictionary Links:
5. Change Log
Initial security advisory.
Added fixed versions for VMware Cloud Foundation(vRops) and vRealize Suite Lifecycle Manager (vRops)
E-mail list for product security notifications and announcements:
This Security Advisory is posted to the following lists:
PGP key at:
VMware Security Advisories
VMware Security Response Policy
VMware Lifecycle Support Phases
VMware Security & Compliance Blog
Copyright 2021 VMware Inc. All rights reserved.