VMware has introduced patches to fix two high severity vulnerabilities that affected vRealize Operations, which is its AI-powered IT operations management system for private, hybrid, and multiple-cloud environments. The vulnerabilities likewise impacted its other products – vRealize Suite Lifecycle Manager and VMware Cloud Foundation.
The first vulnerability CVE-2021-21975 is a server-side request forgery vulnerability that a remote attacker could exploit to use the functions of a server and gain access to or manipulate data that must not be directly accessed. An attacker can exploit the vulnerability by transmitting a specially created request to an insecure vRealize Operations Manager API endpoint that will enable the attacker to steal admin credentials. The vulnerability has an assigned CVSS rating of 8.6 out of 10.
The second vulnerability identified in the vRealize Operations Manager API is monitored as CVE-2021-21983, which is an arbitrary file write vulnerability. It has an assigned CVSS rating of 7.2 out of 10. An attacker could exploit the vulnerability to write files to the root photon operating system. But the attacker must first have admin credentials to be authenticated and be able to take advantage of the vulnerability.
The problem is that the two vulnerabilities can be chained together so that an attacker could do execute arbitrary code remotely in the vRealize Operations system. To be able to exploit the vulnerabilities, it is necessary that the attacker has access to the vRealize Operations Manager API.
The vulnerabilities in vRealize Operations Manager versions 7.5.0 to 8.3.0 had been fixed by VMWare. End-users of the vRealize Operations system are instructed to update and get a secure edition of the platform immediately to avoid vulnerabilities exploitation.
If a user can’t do a prompt update, VMware has given an option that entails working with the casa-security-context.xml and taking away a configuration line and then rebooting the CaSA service on the impacted device. Igor Dimitenko of security company Positive Technologies identified the vulnerabilities.