Important
1. Impacted Products
VMware Tanzu Application Service for VMs
2. Introduction
A denial-of-service vulnerability in one of the components of VMware Tanzu Application Service for VMs was observed. Patches and workarounds are available to remediate or workaround this vulnerability in affected VMware products.
3a. VMware Tanzu Application service for VMs updates address a denial-of-service vulnerability (CVE-2021-22101)
Description
VMware Tanzu Application Service for VMs uses Cloud Controller (CAPI) from Cloud Foundry which is vulnerable to an unauthenticated denial-of-service(DoS) vulnerability. VMware has evaluated this issue to be 'Important' severity with a maximum CVSSv3 base score of 7.5.
Known Attack Vectors
A remote attacker can leverage this vulnerability to cause denial of service by using REST HTTP requests and generating an enormous SQL query leading to database (ccdb) unavailability.
Resolution
To remediate CVE-2021-22101, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Notes
None.
Acknowledgements
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
|
VMware Tanzu Application Service for VMs
|
2.12.x
|
Any
|
CVE-2021-22101
|
7.5
|
important
|
2.12.1
|
None
|
None
|
|
VMware Tanzu Application Service for VMs
|
2.11.x
|
Any
|
CVE-2021-22101
|
7.5
|
important
|
2.11.8
|
None
|
None
|
|
VMware Tanzu Application Service for VMs
|
2.10.x
|
Any
|
CVE-2021-22101
|
7.5
|
important
|
2.10.20
|
None
|
None
|
|
VMware Tanzu Application Service for VMs
|
2.9.x
|
Any
|
CVE-2021-22101
|
7.5
|
important
|
2.9.28
|
None
|
None
|
|
VMware Tanzu Application Service for VMs
|
2.7.x
|
Any
|
CVE-2021-22101
|
7.5
|
important
|
2.7.40
|
None
|
None
|
4. References
Fixed Version(s) and Release Notes:
VMware Tanzu Application Service for VMs ( 2.12.1)
https://network.pivotal.io/products/elastic-runtime#/releases/977821
https://docs.pivotal.io/application-service/2-12/release-notes/runtime-rn.html
VMware Tanzu Application Service for VMs ( 2.11.8)
https://network.pivotal.io/products/elastic-runtime#/releases/976752
https://docs.pivotal.io/application-service/2-11/release-notes/runtime-rn.html
VMware Tanzu Application Service for VMs ( 2.10.20)
https://network.pivotal.io/products/elastic-runtime#/releases/979089
https://docs.pivotal.io/application-service/2-10/release-notes/runtime-rn.html
VMware Tanzu Application Service for VMs ( 2.9.28)
https://network.pivotal.io/products/elastic-runtime#/releases/978786
https://docs.pivotal.io/application-service/2-9/release-notes/runtime-rn.html
VMware Tanzu Application Service for VMs ( 2.7.40)
https://network.pivotal.io/products/elastic-runtime#/releases/978504
https://docs.pivotal.io/application-service/2-7/release-notes/runtime-rn.html
Additional Documentation:
https://www.cloudfoundry.org/blog/cve-2021-22101-cloud-controller-is-vulnerable-to-unauthenticated-denial-of-service/
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-22101
FIRST CVSSv3 Calculator:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5. Change Log
11/11/2021: VMSA-2021-0026: Initial security advisory.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
E-mail: security@vmware.com
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2020 VMware Inc. All rights reserved.