==================================================================== CERT-Renater Note d'Information No. 2021/VULN265 _____________________________________________________________________ DATE : 06/05/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running VMware vRealize Business for Cloud versions 7.6. ===================================================================== https://www.vmware.com/security/advisories/VMSA-2021-0007.html _____________________________________________________________________ Critical Advisory ID: VMSA-2021-0007 CVSSv3 Range: 9.8 Issue Date: 2021-05-05 Updated On: 2021-05-05 (Initial Advisory) CVE(s): CVE-2021-21984 Synopsis: VMware vRealize Business for Cloud updates address a remote code execution vulnerability (CVE-2021-21984) 1. Impacted Products VMware vRealize Business for Cloud 2. Introduction A remote code execution vulnerability in VMware vRealize Business for Cloud was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware product. 3a. VMware vRealize Business for Cloud update addresses remote code execution vulnerability (CVE-2021-21984) Description VMware vRealize Business for Cloud contains a remote code execution vulnerability due to an unauthorised end point. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. Known Attack Vectors A malicious actor with network access may exploit this issue causing unauthorised remote code execution on vRealize Business for Cloud Virtual Appliance. Resolution To remediate CVE-2021-21984 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None Additional Documentation A Knowledge article was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below. Notes None Acknowledgements VMware would like to thank Egor Dimitrenko of Positive Technologies for reporting this vulnerability to us. Response Matrix Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation VMware vRealize Business for Cloud 7.6 Any CVE-2021-21984 9.8 critical KB83475 None KB83475 4. References Remediation and Workarounds: VMware vRealize Business for Cloud 7.6.0: https://kb.vmware.com/s/article/83475 Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21984 FIRST CVSSv3 Calculator: CVE-2021-21984: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 5. Change Log 2021-05-05 VMSA-2021-0007 Initial security advisory. 6. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2020 VMware Inc. All rights reserved. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================