VMware, the virtualization giant, has patched six vulnerabilities, including 4 high severity vulnerabilities, in its recent security update VMSA-2021-0018. The vulnerabilities tracked as CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027 are affecting the widely used VMware vRealize Operations, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.
Successful exploitation of most of these vulnerabilities allows attackers to conduct sensitive information disclosure. Attackers can also seize control of an account and alter other users’ information.
The four high severity vulnerabilities affecting VMware vRealize Operations, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager are,
CVE-2021-22025 – Broken access control vulnerability. The vulnerability allows an unauthenticated malicious actor to gain API access. An attacker with network access to the vRealize Operations Manager API can add new nodes to the existing vROps cluster. The vulnerability has received a CVSSv3 score of 8.6.
CVE-2021-22024 – Arbitrary log-file read vulnerability. The vulnerability allows an attacker to read any log file and obtain sensitive information. The vulnerability comes under an important severity range and has received a CVSSv3 score of 7.5.
CVE-2021-22026, CVE-2021-22027 – Server-side request forgery (SSRF) vulnerabilities. The vulnerabilities allow attackers to disclose sensitive information. The vulnerabilities have received a CVSSv3 score of 7.5.
The remaining vulnerabilities with less severity addressed are,
CVE-2021-22022 – Arbitrary file read vulnerability. The vulnerability allows attackers to read arbitrary files and obtain sensitive information. The information can be used to launch further attacks. It has received a CVSSv3 score of 4.4.
CVE-2021-22023 – Insecure object reference vulnerability. The vulnerability allows bypassing security restrictions. An attacker with administrative access will alter other users’ information and seize control of an account.
VMware Security Update summary for August 2021
- VMware vRealize Operations
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
CVEs/Advisory: CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027
Impact: Information Disclosure, Security Bypass
KBs: KB85383, KB85382, KB85381, KB85380, KB85379, KB85378, KB85452
SanerNow VM detects these vulnerabilities. We strongly recommend applying the security updates for all vulnerabilities on high priority.