VMware on Wednesday shipped security updates to handle vulnerabilities in a number of merchandise that could possibly be probably exploited by an attacker to take management of an affected system.
The six safety weaknesses (from CVE-2021-22022 by way of CVE-2021-22027, CVSS scores: 4.4 – 8.6) have an effect on VMware vRealize Operations (previous to model 8.5.0), VMware Cloud Basis (variations 3.x and 4.x), and vRealize Suite Lifecycle Supervisor (model 8.x), as listed beneath –
- CVE-2021-22022 (CVSS rating: 4.4) – Arbitrary file learn vulnerability in vRealize Operations Supervisor API, resulting in data disclosure
- CVE-2021-22023 (CVSS rating: 6.6) – Insecure direct object reference vulnerability in vRealize Operations Supervisor API, enabling an attacker with administrative entry to change different customers’ data and seize management of an account
- CVE-2021-22024 (CVSS rating: 7.5) – Arbitrary log-file learn vulnerability in vRealize Operations Supervisor API, leading to delicate data disclosure
- CVE-2021-22025 (CVSS rating: 8.6) – Damaged entry management vulnerability in vRealize Operations Supervisor API, permitting an unauthenticated malicious actor so as to add new nodes to the present vROps cluster
- CVE-2021-22026 and CVE-2021-22027 (CVSS rating: 7.5) – Server Facet Request Forgery vulnerability in vRealize Operations Supervisor API, resulting in data disclosure
Credited with reporting the failings are Egor Dimitrenko of Optimistic Applied sciences (CVE-2021-22022 and CVE-2021-22023) and thiscodecc of MoyunSec V-Lab (from CVE-2021-22024 to CVE-2021-22027).
Individually, VMware has additionally issued patches to remediate a cross-site scripting (XSS) vulnerability impacting VMware vRealize Log Perception and VMware Cloud Basis that stems from a case of improper person enter validation, enabling an adversary with person privileges to inject malicious payloads by way of the Log Perception UI that is executed when a sufferer accesses the shared dashboard hyperlink.
The flaw, which has been assigned the identifier CVE-2021-22021, has been rated 6.5 for severity on the CVSS scoring system. Marcin Kot of Prevenity and Tran Viet Quang of Vantage Level Safety have been credited for independently discovering and reporting the vulnerability.
The patches additionally arrive per week after VMware patched a denial-of-service bug in its VMware Workspace ONE UEM console (CVE-2021-22029, CVSS rating: 5.3) that an actor with entry to “/API/system/admins/session” may abuse to render the API unavailable as a consequence of improper fee limiting.