VMSA-2021-0024

Moderate

Advisory ID: VMSA-2021-0024

CVSSv3 Range: 5.3

Issue Date: 2021-10-19

Updated On: 2021-10-19

CVE(s): CVE-2021-22034

Synopsis: VMware vRealize Operations Tenant App update addresses Information Disclosure Vulnerability (CVE-2021-22034)

1. Impacted Products

VMware vRealize Operations Tenant App for VMware Cloud Director

2. Introduction

An information disclosure vulnerability in VMware vRealize Operations Tenant App for VMware Cloud Director was privately reported to VMware. Patch is available to address this vulnerability in impacted VMware products.

3. Information Disclosure Vulnerability in VMware vRealize Operations Tenant App for VMware Cloud Director (CVE-2021-22034)

Description

The vRealize Operations Tenant App for VMware Cloud Director contains an information disclosure vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

Known Attack Vectors

A malicious actor with network access to port 443 on the vRealize Operations Tenant App may access any set system environment variables, leading to information disclosure.

Resolution

To remediate CVE-2021-22034 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Dhiraj Shrikant Datar for reporting this vulnerability to us.

Notes

None.

Response Matrix:

Product	Version	Running On	CVE Identifier	CVSSv3	Severity	Fixed Version	Workarounds	Additional Documentation
vRealize Operations Manager Tenant App	2.x	Any	CVE-2021-22034	5.3	moderate	8.6	N/A	N/A

4. References

Remediation and Workarounds:

vRealize Operations Manager Tenant App
8.6: https://docs.vmware.com/en/Management-Packs-for-vRealize-Operations/8.6/rn/Tenant-App-86-Release-Notes.html

FIRST CVSSv3 Calculator:
CVE-2021-22034: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (5.3)

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22034

5. Change Log

2021-10-19: VMSA-2021-0024
Initial security advisory.

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

security-announce@lists.vmware.com

bugtraq@securityfocus.com

fulldisclosure@seclists.org

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055

VMware Security Advisories

https://www.vmware.com/security/advisories

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog

https://blogs.vmware.com/security

Twitter

https://twitter.com/VMwareSRC

Today’s Multi-Cloud Reality: Cloud Chaos

87% of enterprises use two or more cloud environments to run their applications. Multi-cloud accelerates digital transformation, but also introduces complexity and risk, resulting in a chaotic reality for many organizations.

Conquer Cloud Chaos with VMware Cross-Cloud services

Anywhere Workspace

App Platform

Cloud & Edge Infrastructure

Cloud Management

Desktop Hypervisor

Security & Networking

Run VMware on any Cloud. Any Environment. Anywhere.

On Public & Hybrid Clouds

On Private & Local Clouds

Solutions

Anywhere Workspace
Access Any App on Any Device Securely

App Platform
Build and Operate Cloud Native Apps

Cloud Infrastructure
Run Enterprise Apps Anywhere

Cloud Management
Automate and Optimize Apps and Clouds

Edge Infrastructure
Enable the Multi-Cloud Edge

Networking
Enable Connectivity for Apps and Clouds

Security
Secure Apps and Clouds

By Industry

VMware AI Solutions

For Customers

For Partners

Working Together with Partners for Customer Success

Tools & Training

Services

Support

Marketplace

Videos

Blogs & Communities

Customers

Events

1. Impacted Products

2. Introduction

3. Information Disclosure Vulnerability in VMware vRealize Operations Tenant App for VMware Cloud Director (CVE-2021-22034)

4. References

5. Change Log

6. Contact

Today’s Multi-Cloud Reality: Cloud Chaos

87% of enterprises use two or more cloud environments to run their applications. Multi-cloud accelerates digital transformation, but also introduces complexity and risk, resulting in a chaotic reality for many organizations.

Conquer Cloud Chaos with VMware Cross-Cloud services

Anywhere Workspace

App Platform

Cloud & Edge Infrastructure

Cloud Management

Desktop Hypervisor

Security & Networking

Run VMware on any Cloud. Any Environment. Anywhere.

On Public & Hybrid Clouds

On Private & Local Clouds

Solutions

Anywhere Workspace Access Any App on Any Device Securely

App Platform Build and Operate Cloud Native Apps

Cloud Infrastructure Run Enterprise Apps Anywhere

Cloud Management Automate and Optimize Apps and Clouds

Edge Infrastructure Enable the Multi-Cloud Edge

Networking Enable Connectivity for Apps and Clouds

Security Secure Apps and Clouds

By Industry

VMware AI Solutions

For Customers

For Partners

Working Together with Partners for Customer Success

Tools & Training

Services

Support

Marketplace

Videos

Blogs & Communities

Customers

Events

1. Impacted Products

2. Introduction

3. Information Disclosure Vulnerability in VMware vRealize Operations Tenant App for VMware Cloud Director (CVE-2021-22034)

4. References

5. Change Log

6. Contact

Anywhere Workspace
Access Any App on Any Device Securely

App Platform
Build and Operate Cloud Native Apps

Cloud Infrastructure
Run Enterprise Apps Anywhere

Cloud Management
Automate and Optimize Apps and Clouds

Edge Infrastructure
Enable the Multi-Cloud Edge

Networking
Enable Connectivity for Apps and Clouds

Security
Secure Apps and Clouds