HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

VMware Patches High Severity Flaws in vRealize Operations, Cloud Foundation and vRealize Suite Lifecycle Manager

VMware has released patches to correct two high severity vulnerabilities in its AI-powered IT operations management platform for private, hybrid, and multi-cloud environments – vRealize Operations. The flaws also affect VMware Cloud Foundation and vRealize Suite Lifecycle Manager.

CVE-2021-21975 is a server side request forgery flaw which could be exploited by a remote attacker to abuse the functionality of a server and access or manipulate information that should not be directly accessible. The flaw could be exploited by sending a specially crafted request to a vulnerable vRealize Operations Manager API endpoint which would allow the attacker to steal administrative credentials. The vulnerability has been assigned a CVSS score of 8.6 out of 10.

The second vulnerability, tracked as CVE-2021-21983, is an arbitrary file write vulnerability in the vRealize Operations Manager API. The flaw has been assigned a CVSS score of 7.2 out of 10. Exploitation of the vulnerability would allow an attacker to write files to the underlying photon operating system. An attacker would first need to be authenticated with admin credentials in order to exploit the vulnerability.

The concern is that both vulnerabilities could be chained together, which would allow an attacker to achieve remote code execution of arbitrary code in the vRealize Operations platform. In order to exploit the flaws an attacker would need to have access to the vRealize Operations Manager API.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

VMWare has fixed the flaws in vRealize Operations Manager versions 7.5.0 to 8.3.0. Users of the vRealize Operations platform have been advised to update to a secure version of the platform as soon as possible to prevent exploitation of the vulnerabilities.

If it is not possible to update promptly, VMware has offered a workaround which involves removing a configuration line from the casa-security-context.xml, followed by restarting the CaSA service on the affected device. The flaws were identified by Igor Dimitenko of security firm Positive Technologies.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.