Moderate

VMSA-2021-0023.1
6.5
2021-10-12
2021-10-13
CVE-2021-22036
VMware vRealize Orchestrator update addresses open redirect vulnerability (CVE-2021-22036)

Share this page on social media

Sign up for Security Advisories

1. Impacted Products
  • VMware vRealize Orchestrator
  • VMware vRealize Automation
2. Introduction

An open redirect vulnerability in VMware vRealize Orchestrator was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.

3. VMware vRealize Orchestrator update addresses open redirect vulnerability (CVE-2021-22036)

Description

VMware vRealize Orchestrator contains an open redirect vulnerability due to improper path handling. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.

Known Attack Vectors

A malicious actor may be able to redirect victim to an attacker controlled domain due to improper path handling in vRealize Orchestrator leading to sensitive information disclosure.

Resolution

To remediate CVE-2021-22036 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Notes

VMware vRealize Automation 8.x is affected since it uses embedded vRealize Orchestrator.

Acknowledgements

VMware would like to thank Marek Takáč of Citadelo for reporting this vulnerability to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
VMware vRealize Orchestrator
8.x
Virtual Appliance
CVE-2021-22036
moderate
8.6
None
None
VMware vRealize Automation
8.x
Any
CVE-2021-22036
moderate
8.6
None
None
4. References
5. Change Log

2021-10-12 VMSA-2021-0023
Initial security advisory.

 

2021-10-13 VMSA-2021-0023.1
Added VMware vRealize Automation 8.x in the Response Matrix section. As it uses embedded vRealize Orchestrator.

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 

 

This Security Advisory is posted to the following lists:  

security-announce@lists.vmware.com  

bugtraq@securityfocus.com  

fulldisclosure@seclists.org 

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055 

 

VMware Security Advisories

https://www.vmware.com/security/advisories 

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2021 VMware Inc. All rights reserved.