===================================================================== CERT-Renater Note d'Information No. 2021/VULN419 _____________________________________________________________________ DATE : 25/08/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running VMware vRealize Operations, VMware Cloud Foundation (vROps), vRealize Suite Lifecycle Manager (vROps). ===================================================================== https://www.vmware.com/security/advisories/VMSA-2021-0018.html _____________________________________________________________________ Important Advisory ID: VMSA-2021-0018 CVSSv3 Range: 4.4 - 8.6 Issue Date: 2021-08-24 Updated On: 2021-08-24 (Initial Advisory) CVE(s): CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027 Synopsis: VMware vRealize Operations updates address multiple security vulnerabilities (CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027) 1. Impacted Products VMware vRealize Operations VMware Cloud Foundation vRealize Suite Lifecycle Manager 2. Introduction Multiple vulnerabilities in VMware vRealize Operations were privately reported to VMware. Patches and Workarounds are available to address these vulnerabilities in impacted VMware products. 3a. Arbitrary file read vulnerability in vRealize Operations Manager API (CVE-2021-22022) Description The vRealize Operations Manager API contains an arbitrary file read vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.4. Known Attack Vectors A malicious actor with administrative access to vRealize Operations Manager API can read any arbitrary file on server leading to information disclosure. Resolution To remediate CVE-2021-22022 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation An FAQ to document general queries was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below. Notes None. Acknowledgements VMware would like to thank Egor Dimitrenko of Positive Technologies for reporting this vulnerability to us. 3b. Insecure direct object reference vulnerability in vRealize Operations Manager API (CVE-2021-22023) Description The vRealize Operations Manager API has insecure object reference vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.6. Known Attack Vectors A malicious actor with administrative access to vRealize Operations Manager API may be able to modify other users information leading to an account takeover. Resolution To remediate CVE-2021-22023 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation An FAQ to document general queries was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below. Notes None. Acknowledgements VMware would like to thank Egor Dimitrenko of Positive Technologies for reporting this vulnerability to us. 3c. Arbitrary log-file read vulnerability in vRealize Operations Manager API (CVE-2021-22024) Description The vRealize Operations Manager API contains an arbitrary log-file read vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5. Known Attack Vectors An unauthenticated malicious actor with network access to the vRealize Operations Manager API can read any log file resulting in sensitive information disclosure. Resolution To remediate CVE-2021-22024 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation An FAQ to document general queries was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below. Notes None. Acknowledgements VMware would like to thank thiscodecc of MoyunSec V-Lab for reporting this vulnerability to us. 3d. Broken access control vulnerability in vRealize Operations Manager API (CVE-2021-22025) Description The vRealize Operations Manager API contains a broken access control vulnerability leading to unauthenticated API access. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.6. Known Attack Vectors An unauthenticated malicious actor with network access to the vRealize Operations Manager API can add new nodes to existing vROps cluster. Resolution To remediate CVE-2021-22025 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation An FAQ to document general queries was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below. Notes None. Acknowledgements VMware would like to thank thiscodecc of MoyunSec V-Lab for reporting this vulnerability to us. 3e. Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-22026, CVE-2021-22027) Description The vRealize Operations Manager API contains a Server Side Request Forgery in multiple end points. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5. Known Attack Vectors An unauthenticated malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack leading to information disclosure. Resolution To remediate CVE-2021-22026 and CVE-2021-22027 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to impacted deployments. Workarounds None. Additional Documentation An FAQ to document general queries was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below. Notes None. Acknowledgements VMware would like to thank thiscodecc of MoyunSec V-Lab for reporting this vulnerability to us. Response Matrix Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation vRealize Operations Manager 8.5.0 Any N/A N/A N/A Unaffected N/A N/A vRealize Operations Manager 8.4.0 Any CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027 4.4 - 8.6 important KB85383 None FAQ vRealize Operations Manager 8.3.0 Any CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027 4.4 - 8.6 important KB85382 None FAQ vRealize Operations Manager 8.2.0 Any CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027 4.4 - 8.6 important KB85381 None FAQ vRealize Operations Manager 8.1.1, 8.1.0 Any CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027 4.4 - 8.6 important KB85380 None FAQ vRealize Operations Manager 8.0.1, 8.0.0 Any CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027 4.4 - 8.6 important KB85379 None FAQ vRealize Operations Manager 7.5.0 Any CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027 4.4 - 8.6 important KB85378 None FAQ Impacted Product Suites that Deploy Response Matrix Components Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation VMware Cloud Foundation (vROps) 4.x Any CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027 4.4 - 8.6 important KB85452 None FAQ VMware Cloud Foundation (vROps) 3.x Any CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027 4.4 - 8.6 important KB85452 None FAQ vRealize Suite Lifecycle Manager (vROps) 8.x Any CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027 4.4 - 8.6 important KB85452 None FAQ 4. References Fixed Versions: vRealize Operations Manager 8.4: https://kb.vmware.com/s/article/85383 8.3: https://kb.vmware.com/s/article/85382 8.2: https://kb.vmware.com/s/article/85381 8.1.1: https://kb.vmware.com/s/article/85380 8.0.1: https://kb.vmware.com/s/article/85379 7.5: https://kb.vmware.com/s/article/85378 VMware Cloud Foundation (vROps) 4.x/3.x: https://kb.vmware.com/s/article/85452 vRealize Suite Lifecycle Manager (vROps) 8.x: https://kb.vmware.com/s/article/85452 Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22022 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22023 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22024 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22025 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22026 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22027 FIRST CVSSv3 Calculator: CVE-2021-22022 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N CVE-2021-22023 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2021-22024 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-22025 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L CVE-2021-22026 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2021-22027 : https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 5. Change Log 2021-08-24 VMSA-2021-0018 Initial security advisory. 6. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2021 VMware Inc. All rights reserved. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================