==================================================================== CERT-Renater Note d'Information No. 2021/VULN199 _____________________________________________________________________ DATE : 02/04/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running VMware Carbon Black Cloud Workload appliance software. ===================================================================== https://www.vmware.com/security/advisories/VMSA-2021-0005.html _____________________________________________________________________ Critical Advisory ID: VMSA-2021-0005 CVSSv3 Range: 9.1 Issue Date: 2021-04-01 Updated On: 2021-04-01 (Initial Advisory) CVE(s): CVE-2021-21982 Synopsis: VMware Carbon Black Cloud Workload appliance update addresses incorrect URL handling vulnerability (CVE-2021-21982) 1. Impacted Products VMware Carbon Black Cloud Workload appliance. 2. Introduction A vulnerability in VMware Carbon Black Cloud Workload appliance was privately reported to VMware. An update is available to remediate this vulnerability in the affected versions of the appliance. 3. Advisory Details Description A URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.1. Known Attack Vectors A malicious actor with network access to the administrative interface of the VMware Carbon Black Cloud Workload appliance may be able to obtain a valid authentication token, granting access to the administration API of the appliance. Successful exploitation of this issue would result in the attacker being able to view and alter administrative configuration settings. Resolution To remediate CVE-2021-21982 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. Workarounds None. Mitigation VMware best practices recommend implementing network controls to limit access to the local administrative interface of the appliance. Unrestricted network access to this interface is not required for the regular operation of the product. Additional Documentation None. Notes None. Acknowledgements VMware would like to thank Egor Dimitrenko of Positive Technologies for reporting this issue to us. Response Matrix Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation VMware Carbon Black Cloud Workload appliance 1.0.1 and prior Linux CVE-2021-21982 9.1 critical 1.0.2 None None 4. References Fixed Version(s) and/or Release Notes https://docs.vmware.com/en/VMware-Carbon-Black-Cloud-Workload/1.0/rn/cbc-workload-102-release-notes.html Mitre CVE Dictionary Links https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21982 FIRST CVSSv3 Calculator https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 5. Change Log 2021-04-01 VMSA-2021-0005 Initial security advisory. 6. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2021 VMware Inc. All rights reserved. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================