- VMware is pushing fixing patches for two important vulnerabilities affecting three of its products.
- The one is a side-request forgery attack, and the second is an arbitrary file write flaw.
- The flaws are addressed by the corresponding security updates, but there are also mitigations available.
VMware has published a security advisory to inform clients about CVE-2021-21975, CVE-2021-21983, a server-side request forgery, and an arbitrary file write vulnerability. The impacted products are "VMware vRealize Operations," "VMware Cloud Foundation," and "vRealize Suite Lifecycle Manager." The flaws were reported to the company privately by Egor Dimitrenko of Positive Technologies, and there are already fixes or at least workarounds available, depending on the product you’re using as well as the specific version.
Starting with CVE-2021-21975, this flaw has a CVSSv3 score of 8.6, so it’s considered important. By exploiting it, a malicious actor with network access to the target product API could perform a side-request forgery attack and steal the administrator’s credentials.
The second flaw, CVE-2021-21983, is given a CVSSv3 score of 7.2, classified as important too. Thanks to this vulnerability, an authenticated malicious actor with network access to the target product API could write files to arbitrary locations on the underlying photon OS.
For a detailed list with the corresponding links to the specific mitigations that apply in each case, check the following:
- vRealize Operations Manager 8.3
- vRealize Operations Manager 8.2
- vRealize Operations Manager 8.1 and 8.1.1
- vRealize Operations Manager 8.0 and 8.0.1
- vRealize Operations Manager 7.5.0
- vRealize Suite Lifecycle Manager 8.x
- VMware Cloud Foundation 4.x
- Vmware Cloud Foundation 3.x
In general, addressing the two flaws is done by downloading and installing the security patch that matches the product you’re using. To do this, log in to the primary node interface of your cluster, click on “Software Update” in the panel to the left, then click on “Install a Software Update” on the main panel, and follow the steps in the wizard to locate and install the PAK file. After the update is complete, you will be logged out of the admin interface automatically. At this point, you are advised to clear the browser cache, log back into the primary node, and check the cluster status, which should be “Online.”
If - for whatever reason - you cannot install the patch, VMware is sharing a workaround for vRealize Operations, which is to remove a configuration line from casa-security-context.xml. The line is the following:
<sec:http pattern="/nodes/thumbprints" security='none'/>
After removing it, save the file, close it, and restart the CaSa service.