==================================================================== CERT-Renater Note d'Information No. 2021/VULN352 _____________________________________________________________________ DATE : 15/07/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running VMware ThinApp versions 5.x prior to 5.2.10. ===================================================================== https://www.vmware.com/security/advisories/VMSA-2021-0015.html _____________________________________________________________________ Moderate Advisory ID: VMSA-2021-0015 CVSSv3 Range: 6.8 Issue Date: 2021-07-13 Updated On: 2021-07-13 (Initial Advisory) CVE(s): CVE-2021-22000 Synopsis: VMware ThinApp update addresses a DLL hijacking vulnerability (CVE-2021-22000) 1. Impacted Products VMware ThinApp 2. Introduction A DLL hijacking vulnerability in VMware ThinApp was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products. 3. VMware ThinApp update addresses a DLL hijacking vulnerability (CVE-2021-22000) Description VMware ThinApp contains a DLL hijacking vulnerability due to insecure loading of DLLs. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.8. Known Attack Vectors A malicious actor with non-administrative privileges may exploit this vulnerability to elevate privileges to administrator level on the Windows operating system having VMware ThinApp installed on it Resolution To remediate CVE-2021-22000, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds None. Additional Documentation None. Notes None. Acknowledgements VMware would like to thank Hou JingYi (@hjy79425575) of Qihoo 360 for reporting this issue to us. Response Matrix Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation VMware ThinApp 5.x Windows CVE-2021-22000 6.8 moderate 5.2.10 None None 4. References Fixed Version(s) and Release Notes: https://my.vmware.com/en/web/vmware/downloads/info/slug/desktop_end_user_computing/vmware_thinapp/5_0 https://docs.vmware.com/en/VMware-ThinApp/5.2.10/rn/vmware_thinapp_5210_release_notes/index.html Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22000 FIRST CVSSv3 Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L 5. Change Log 2021-07-13: VMSA-2021-0015 Initial security advisory. 6. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2021 VMware Inc. All rights reserved. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================