Low

VMSA-2021-0021.1
2.7
2021-10-12
2022-10-31
CVE-2021-22033
VMware vRealize Operations update addresses SSRF Vulnerability (CVE-2021-22033)

1. Impacted Products
  • VMware vRealize Operations
  • VMware Cloud Foundation (Cloud Foundation) 
  • vRealize Suite Lifecycle Manager
2. Introduction

A SSRF vulnerability in VMware vRealize Operations was privately reported to VMware. Patches are available to address this vulnerability in impacted VMware products. 

3. Server Side Request Forgery in vRealize Operations (CVE-2021-22033)

Description

vRealize Operations contains a Server Side Request Forgery (SSRF) vulnerability. VMware has evaluated the severity of this issue to be in the Low severity range with a maximum CVSSv3 base score of 2.7.

Known Attack Vectors

A malicious actor with administrative access to vRealize Operations can enumerate internal IPs and internal ports.

Resolution

To remediate CVE-2021-22033 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank AxisX for reporting this vulnerability to us.

Notes

None.

Response Matrix:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
vRealize Operations
8.x, 7.x
Any
CVE-2021-22033
2.7
low
8.6.0
None
None

Impacted Product Suites that Deploy Response Matrix Components:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
VMware Cloud Foundation (vROps)
4.x, 3.x
Any
CVE-2021-22033
2.7
low
KB 89887
None
None
vRealize Suite Lifecycle Manager (vROps)
8.x
Any
CVE-2021-22033
2.7
low
8.6
None
None
4. References

 

Remediation and Workarounds:

vRealize Operations
8.6.0: https://docs.vmware.com/en/vRealize-Operations/8.6/rn/vrealize-operations-86-release-notes/index.html 

vRealize Suite Lifecycle Manager
8.6.0: https://docs.vmware.com/en/VMware-vRealize-Suite-Lifecycle-Manager/8.6/rn/VMware-vRealize-Suite-Lifecycle-Manager-86-Release-Notes.html


FIRST CVSSv3 Calculator:
CVE-2021-22033: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N (2.7)

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22033

5. Change Log

2021-10-12: VMSA-2021-0021
Initial security advisory.

2022-10-31: VMSA-2021-0021.1
Added fixed versions for VMware Cloud Foundation(vRops) and vRealize Suite Lifecycle Manager (vRops)



6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 

 

This Security Advisory is posted to the following lists:  

security-announce@lists.vmware.com  

bugtraq@securityfocus.com  

fulldisclosure@seclists.org 

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055 

 

VMware Security Advisories

https://www.vmware.com/security/advisories 

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2021 VMware Inc. All rights reserved.