High-Severity Vulnerabilities in vRealize Operations VMware

Issued: Monday, 30 August, 2021	Last Revision: Monday, 30 August, 2021
Vendor: VMware	Product: vRealiz
	Severity Level: High

Summary:

VMware has released security patches to address a series of vulnerabilities in vRealize Operations, including four categorized as high severity. The most severe flaw is a broken access control

vulnerability (CVE-2021-22025), which could allow an attacker to gain unauthenticated API access when successfully exploited.

Description	CVE	CVSS3.0 Score
Arbitrary file read vulnerability in vRealize Operations Manager API	CVE-2021-22022	4.4
Insecure direct object reference vulnerability in vRealize Operations Manager API	CVE-2021-22023	6.6
Arbitrary log-file read vulnerability in vRealize Operations Manager API	CVE-2021-22024	7.5
Broken access control vulnerability in vRealize Operations Manager API	CVE-2021-22025	8.6
Server Side Request Forgery in vRealize Operations Manager API	CVE-2021-22026	7.5
Server Side Request Forgery in vRealize Operations Manager API	CVE-2021-22027	7.5

Table 1: Vulnerability details

Vulnerability / CVE	Affected Product(s)	Version	Fixed Version
CVE-2021-22022 CVE-2021-22023 CVE-2021-22024 CVE-2021-22025 CVE-2021-22026 CVE-2021-22027	VMware vRealize Operations Manager	8.4.0	KB85383
CVE-2021-22022 CVE-2021-22023 CVE-2021-22024 CVE-2021-22025 CVE-2021-22026 CVE-2021-22027	VMware vRealize Operations Manager	8.3.0	KB853832
CVE-2021-22022 CVE-2021-22023 CVE-2021-22024 CVE-2021-22025 CVE-2021-22026 CVE-2021-22027	VMware vRealize Operations Manager	8.2.0	KB853831
CVE-2021-22022 CVE-2021-22023 CVE-2021-22024 CVE-2021-22025 CVE-2021-22026 CVE-2021-22027	VMware vRealize Operations Manager	8.1.1, 8.1.0	KB853830
CVE-2021-22022 CVE-2021-22023 CVE-2021-22024 CVE-2021-22025 CVE-2021-22026 CVE-2021-22027	VMware vRealize Operations Manager	8.0.1, 8.0.0	KB85379
CVE-2021-22022 CVE-2021-22023 CVE-2021-22024 CVE-2021-22025 CVE-2021-22026 CVE-2021-22027	VMware vRealize Operations Manager	7.5.0	KB85378
CVE-2021-22022 CVE-2021-22023 CVE-2021-22024 CVE-2021-22025 CVE-2021-22026 CVE-2021-22027	VMware Cloud Foundation (vROps)	4.x	KB85452
CVE-2021-22022 CVE-2021-22023 CVE-2021-22024 CVE-2021-22025 CVE-2021-22026 CVE-2021-22027	VMware Cloud Foundation (vROps)	3.x	KB85452
CVE-2021-22022 CVE-2021-22023 CVE-2021-22024 CVE-2021-22025 CVE-2021-22026 CVE-2021-22027	vRealize Suite Lifecycle Manager (vROps)	8.x	KB85452

Table 2: Vulnerable versions

Recommendation:

To remediate the reported vulnerabilities in this Risk directive, apply the patches listed in the 'Fixed Version' column of the ‘Affected Products’ table found above and refer link https://www.vmware.com/security/advisories/VMSA -2021 -0018.html for more information.

References:

https://www.vmware.com/security/advisories.html

https://www.vmware.com/security/advisories/VMSA-2021-0018.html

Coming Soon...

Q-CERT website is currently under maintenance. We should be back shortly. Thank you for yor patience.

High-Severity Vulnerabilities in vRealize Operations VMware