====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN336
_____________________________________________________________________

DATE                : 23/06/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running VMware Carbon Black App Control
                             versions prior to 8.6.2, 8.5.8.

=====================================================================
https://www.vmware.com/security/advisories/VMSA-2021-0012.html
_____________________________________________________________________


Advisory ID:      VMSA-2021-0012
CVSSv3 Range:     9.4
Issue Date:       2021-06-22
Updated On:       2021-06-22 (Initial Advisory)
CVE(s):           CVE-2021-21998


Synopsis:
VMware Carbon Black App Control update addresses authentication bypass
(CVE-2021-21998)



1. Impacted Products

    VMware Carbon Black App Control (AppC)


2. Introduction

An authentication bypass in the VMware Carbon Black App Control
management server was privately reported to VMware. Updates are
available to remediate this vulnerability in the affected VMware
product.

3. VMware Carbon Black App Control updates address authentication bypass
(CVE-2021-21998)

Description

The VMware Carbon Black App Control management server has an
authentication bypass. VMware has evaluated the severity of this issue
to be in the Critical severity range with a maximum CVSSv3 base score of
9.4.

Known Attack Vectors

A malicious actor with network access to the VMware Carbon Black App
Control management server might be able to obtain administrative access
to the product without the need to authenticate.


Resolution

To remediate CVE-2021-21998, apply the patches listed in the 'Fixed
Version' column of the 'Response Matrix' found below.


Workarounds

None.


Additional Documentation

None.


Notes

Login to the Carbon Black UEX Portal is required to download fixes.


Acknowledgements

None


Response Matrix

Product 	Version 	Running On 	CVE Identifier 	CVSSv3 	
Severity 	Fixed Version 	Workarounds 	Additional Documentation


AppC     8.6.x     Windows     CVE-2021-21998     9.4    critical
8.6.2     None      None

AppC     8.5.x     Windows     CVE-2021-21998     9.4    critical
	8.5.8      None     None

AppC     8.1.x, 8.0.x     Windows      CVE-2021-21998    9.4
	critical      Hotfix     None     None


4. References

VMware Carbon Black App Control 8.6.2, 8.5.8, 8.1.x, 8.0.x

Downloads and Documentation:

https://community.carbonblack.com/t5/App-Control-Documents/Critical-App-Control-Server-Patch-Announcement/ta-p/104906


Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21998


FIRST CVSSv3 Calculator:

CVE-2021-21998:
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L


5. Change Log

2021-06-22 VMSA-2021-0012
Initial security advisory.


6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce


This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com


E-mail: security@vmware.com


PGP key at:
https://kb.vmware.com/kb/1055


VMware Security Advisories
https://www.vmware.com/security/advisories


VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html


VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html


VMware Security & Compliance Blog
https://blogs.vmware.com/security


Twitter
https://twitter.com/VMwareSRC


Copyright 2021 VMware Inc. All rights reserved.


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================