VMware on Wednesday shippedto handle vulnerabilities in a number of merchandise that might be probably exploited by an attacker to take management of an affected system.
The six safety weaknesses (from CVE-2021-22022 via CVE-2021-22027, CVSS scores: 4.4 – 8.6) have an effect on VMware vRealize Operations (previous to model 8.5.0), VMware Cloud Basis (variations 3.x and 4.x), and vRealize Suite Lifecycle Supervisor (model 8.x), as listed beneath –
- CVE-2021-22022 (CVSS rating: 4.4) – Arbitrary file learn vulnerability in vRealize Operations Supervisor API, resulting in data disclosure
- CVE-2021-22023 (CVSS rating: 6.6) – Insecure direct object reference vulnerability in vRealize Operations Supervisor API, enabling an attacker with administrative entry to change different customers’ data and seize management of an account
- CVE-2021-22024 (CVSS rating: 7.5) – Arbitrary log-file learn vulnerability in vRealize Operations Supervisor API, leading to delicate data disclosure
- CVE-2021-22025 (CVSS rating: 8.6) – Damaged entry management vulnerability in vRealize Operations Supervisor API, permitting an unauthenticated malicious actor so as to add new nodes to the present vROps cluster
- CVE-2021-22026 and CVE-2021-22027 (CVSS rating: 7.5) – Server Aspect Request Forgery vulnerability in vRealize Operations Supervisor API, resulting in data disclosure
Credited with reporting the issues are Egor Dimitrenko of Constructive Applied sciences (CVE-2021-22022 and CVE-2021-22023) and thiscodecc of MoyunSec V-Lab (from CVE-2021-22024 to CVE-2021-22027).
Individually, VMware has additionally issued patches to remediate cross-site scripting (XSS) vulnerability impacting VMware vRealize Log Perception and VMware Cloud Basis that stems from a case of improper consumer enter validation, enabling an adversary with consumer privileges to inject malicious payloads through the Log Perception UI that is executed when a sufferer accesses the shared dashboard hyperlink.
The flaw, which has been assigned the identifier, has been rated 6.5 for severity on the CVSS scoring system. Marcin Kot of Prevenity and Tran Viet Quang of Vantage Level Safety have been credited for independently discovering and reporting the vulnerability.
The patches additionally arrive every week after VMware patched a denial-of-service bug in its VMware Workspace ONE UEM console (, CVSS rating: 5.3) that an actor with entry to “/API/system/admins/session” might abuse to render the API unavailable attributable to improper charge limiting.