VMware on Wednesday shipped security updates to address vulnerabilities in multiple products that could be potentially exploited by an attacker to take control of an affected system.
The six security weaknesses (from CVE-2021-22022 through CVE-2021-22027, CVSS scores: 4.4 - 8.6) affect VMware vRealize Operations (prior to version 8.5.0), VMware Cloud Foundation (versions 3.x and 4.x), and vRealize Suite Lifecycle Manager (version 8.x), as listed below -
- CVE-2021-22022 (CVSS score: 4.4) - Arbitrary file read vulnerability in vRealize Operations Manager API, leading to information disclosure
- CVE-2021-22023 (CVSS score: 6.6) - Insecure direct object reference vulnerability in vRealize Operations Manager API, enabling an attacker with administrative access to alter other users' information and seize control of an account
- CVE-2021-22024 (CVSS score: 7.5) - Arbitrary log-file read vulnerability in vRealize Operations Manager API, resulting in sensitive information disclosure
- CVE-2021-22025 (CVSS score: 8.6) - Broken access control vulnerability in vRealize Operations Manager API, allowing an unauthenticated malicious actor to add new nodes to the existing vROps cluster
- CVE-2021-22026 and CVE-2021-22027 (CVSS score: 7.5) - Server Side Request Forgery vulnerability in vRealize Operations Manager API, leading to information disclosure
Credited with reporting the flaws are Egor Dimitrenko of Positive Technologies (CVE-2021-22022 and CVE-2021-22023) and thiscodecc of MoyunSec V-Lab (from CVE-2021-22024 to CVE-2021-22027).
Separately, VMware has also issued patches to remediate a cross-site scripting (XSS) vulnerability impacting VMware vRealize Log Insight and VMware Cloud Foundation that stems from a case of improper user input validation, enabling an adversary with user privileges to inject malicious payloads via the Log Insight UI that's executed when a victim accesses the shared dashboard link.
The flaw, which has been assigned the identifier CVE-2021-22021, has been rated 6.5 for severity on the CVSS scoring system. Marcin Kot of Prevenity and Tran Viet Quang of Vantage Point Security have been credited for independently discovering and reporting the vulnerability.
The patches also arrive a week after VMware patched a denial-of-service bug in its VMware Workspace ONE UEM console (CVE-2021-22029, CVSS score: 5.3) that an actor with access to "/API/system/admins/session" could abuse to render the API unavailable due to improper rate limiting.