VMware Patches High Severity Flaws in vRealize Operations, Cloud Foundation and vRealize Suite Lifecycle Manager

Share this article on:

VMware has released patches to correct two high severity vulnerabilities in its AI-powered IT operations management platform for private, hybrid, and multi-cloud environments – vRealize Operations. The flaws also affect VMware Cloud Foundation and vRealize Suite Lifecycle Manager.

CVE-2021-21975 is a server side request forgery flaw which could be exploited by a remote attacker to abuse the functionality of a server and access or manipulate information that should not be directly accessible. The flaw could be exploited by sending a specially crafted request to a vulnerable vRealize Operations Manager API endpoint which would allow the attacker to steal administrative credentials. The vulnerability has been assigned a CVSS score of 8.6 out of 10.

The second vulnerability, tracked as CVE-2021-21983, is an arbitrary file write vulnerability in the vRealize Operations Manager API. The flaw has been assigned a CVSS score of 7.2 out of 10. Exploitation of the vulnerability would allow an attacker to write files to the underlying photon operating system. An attacker would first need to be authenticated with admin credentials in order to exploit the vulnerability.

The concern is that both vulnerabilities could be chained together, which would allow an attacker to achieve remote code execution of arbitrary code in the vRealize Operations platform. In order to exploit the flaws an attacker would need to have access to the vRealize Operations Manager API.

VMWare has fixed the flaws in vRealize Operations Manager versions 7.5.0 to 8.3.0. Users of the vRealize Operations platform have been advised to update to a secure version of the platform as soon as possible to prevent exploitation of the vulnerabilities.

If it is not possible to update promptly, VMware has offered a workaround which involves removing a configuration line from the casa-security-context.xml, followed by restarting the CaSA service on the affected device. The flaws were identified by Igor Dimitenko of security firm Positive Technologies.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On