Service Notices
VMware vRealize Operations Request Forgery Vulnerability and Arbitrary File Write Vulnerability (CVE-2021-21975, CVE-2021-21983)
Apr 01, 2021 GMT+08:00
I. Overview
VMware has officially disclosed a server side request forgery vulnerability (CVE-2021-21975) and an arbitrary file write vulnerability (CVE-2021-21983) in VMware vRealize Operations.
CVE-2021-21975: Server Side Request Forgery in vRealize Operations Manager API. A malicious user with network access to the vRealize Operations Manager API can perform a server-side request forgery attack to steal administrative credentials.
CVE-2021-21983: Arbitrary file write vulnerability in vRealize Operations Manager API. An authenticated malicious user with network access to the vRealize Operations Manager API can write files to arbitrary locations on the operating system.
Attackers can exploit the two vulnerabilities to execute arbitrary code without authentication.
If you are a VMware vRealize Operations user, check your service version and implement timely security hardening.
Reference: VMSA-2021-0004
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Products
Affected versions:
vRealize Operations Manager 7.5.0, 8.0.0, 8.0.1, 8.1.0, 8.1.1, 8.2.0, 8.3.0
IV. Vulnerability Handling
Official patches have been released for the following versions. Install the patch suitable for your version in a timely manner.
vRealize Operations Manager 7.5.0, 8.0.0, 8.0.1, 8.1.0, 8.1.1, 8.2.0, 8.3.0
HUAWEI CLOUD WAF can defend against these vulnerabilities. If you are a WAF user, set the basic web protection status to Block. For details, see Enabling Basic Web Protection.
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.