VMSA-2021-0021

Main Menu

Take Control of Your Multi-Cloud Environment

73% of enterprises use two or more public clouds today. While multi-cloud accelerates digital transformation, it also introduces complexity and risk.

Simplicity Across Clouds Is Rare
91% of executives are looking to improve “consistency across [their] public cloud environments."

Applications Need to Be Modernized
68% of developers want to expand use of modern application frameworks, APIs and services.

Distributed Work Models Are Here to Stay
72% of enterprise employees are working from non-traditional environments.

Security Is a Top-Down Concern
Risk related to security, data and privacy issues remains the #1 multi-cloud challenge.

SEE HOW VMWARE CAN HELP

VMware Cross-Cloud™ services enable organizations to unlock the potential of multi-cloud with enterprise security and resiliency.

LEARN ABOUT CROSS-CLOUD SERVICES

Low

Advisory ID: VMSA-2021-0021

CVSSv3 Range: 2.7

Issue Date: 2021-10-12

Updated On: 2021-10-12

CVE(s): CVE-2021-22033

Synopsis: VMware vRealize Operations update addresses SSRF Vulnerability (CVE-2021-22033)

1. Impacted Products

VMware vRealize Operations
VMware Cloud Foundation
vRealize Suite Lifecycle Manager

2. Introduction

A SSRF vulnerability in VMware vRealize Operations was privately reported to VMware. Patches are available to address this vulnerability in impacted VMware products.

3. Server Side Request Forgery in vRealize Operations (CVE-2021-22033)

Description

vRealize Operations contains a Server Side Request Forgery (SSRF) vulnerability. VMware has evaluated the severity of this issue to be in the Low severity range with a maximum CVSSv3 base score of 2.7.

Known Attack Vectors

A malicious actor with administrative access to vRealize Operations can enumerate internal IPs and internal ports.

Resolution

To remediate CVE-2021-22033 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank AxisX for reporting this vulnerability to us.

Notes

None.

Response Matrix:

Product	Version	Running On	CVE Identifier	CVSSv3	Severity	Fixed Version	Workarounds	Additional Documentation
vRealize Operations	8.x, 7.x	Any	CVE-2021-22033	2.7	low	8.6.0	None	None

Impacted Product Suites that Deploy Response Matrix Components:

Product	Version	Running On	CVE Identifier	CVSSv3	Severity	Fixed Version	Workarounds	Additional Documentation
VMware Cloud Foundation (vROps)	4.x, 3.x	Any	CVE-2021-22033	2.7	low	Patch Pending	None	None
vRealize Suite Lifecycle Manager (vROps)	8.x	Any	CVE-2021-22033	2.7	low	Patch Pending	None	None