VMware Publishes Security Advisory for Two Important Vulnerabilities

  • VMware is pushing fixing patches for two important vulnerabilities affecting three of its products.
  • The one is a side-request forgery attack, and the second is an arbitrary file write flaw.
  • The flaws are addressed by the corresponding security updates, but there are also mitigations available.

VMware has published a security advisory to inform clients about CVE-2021-21975, CVE-2021-21983, a server-side request forgery, and an arbitrary file write vulnerability. The impacted products are "VMware vRealize Operations," "VMware Cloud Foundation," and "vRealize Suite Lifecycle Manager." The flaws were reported to the company privately by Egor Dimitrenko of Positive Technologies, and there are already fixes or at least workarounds available, depending on the product you’re using as well as the specific version.

Starting with CVE-2021-21975, this flaw has a CVSSv3 score of 8.6, so it’s considered important. By exploiting it, a malicious actor with network access to the target product API could perform a side-request forgery attack and steal the administrator’s credentials.

The second flaw, CVE-2021-21983, is given a CVSSv3 score of 7.2, classified as important too. Thanks to this vulnerability, an authenticated malicious actor with network access to the target product API could write files to arbitrary locations on the underlying photon OS.

For a detailed list with the corresponding links to the specific mitigations that apply in each case, check the following:

In general, addressing the two flaws is done by downloading and installing the security patch that matches the product you’re using. To do this, log in to the primary node interface of your cluster, click on “Software Update” in the panel to the left, then click on “Install a Software Update” on the main panel, and follow the steps in the wizard to locate and install the PAK file. After the update is complete, you will be logged out of the admin interface automatically. At this point, you are advised to clear the browser cache, log back into the primary node, and check the cluster status, which should be “Online.”

If - for whatever reason - you cannot install the patch, VMware is sharing a workaround for vRealize Operations, which is to remove a configuration line from casa-security-context.xml. The line is the following:

<sec:http pattern="/nodes/thumbprints" security='none'/> 

After removing it, save the file, close it, and restart the CaSa service.

16 Best Black Friday and Cyber Monday VPN Deals in 2023
When it comes to VPN services, if you're after the biggest savings, you must pick a long-term subscription plan. In most cases,...
How to Watch South to Black Power Online from Anywhere
South to Black Power follows celebrated New York Times columnist Charles M. Blow as he embarks on a personal journey across the...
How to Watch The Couple Next Door Online from Anywhere
The Couple Next Door is a psychological drama that explores suburban claustrophobia and the consequences of giving in to your darkest desires....
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari