Two vulnerabilities (CVE-2021-21975, CVE-2021-21983) recently patched by VMware in its vRealize Operations platform can be chained together to achieve unauthenticated remote code execution (RCE) on the underlying operating system, Positive Technologies researchers have found.
There is no PoC currently available and no mention of the vulnerabilities being exploited in the wild. Nevertheless, administrators are advised to implement provided security patches or temporary workarounds as soon as possible.
VMware vRealize Operations vulnerabilities could lead to RCE
VMware vRealize Operations is a unified, AI-powered platform for IT operations management for private, hybrid, and multi-cloud environments. It is available on premises and as SaaS.
Both vulnerabilities are in the vRealize Operations Manager API.
CVE-2021-21975 is a Server Side Request Forgery (SSRF) flaw that could be exploited remotely by an unauthenticated attacker to steal administrative credentials, and CVE-2021-21983 is an arbitrary file write vulnerability that could allow an authenticated remote attacker to write files to arbitrary locations on the underlying operating system.
They have been deemed to be high-risk, but chained together they can lead to unauthenticated remote code execution.
The vulnerabilities are present in vRealize Operations Manager 7.5.0, 8.0.1, 8.0.0, 8.1.1, 8.1.0, 8.2.0, and 8.3.0, and also impact VMware Cloud Foundation versions 3.x and 4.x and vRealize Suite Lifecycle Manager v8.x.
Security updates are available and so are workarounds, which don’t have an impact on the system’s functionality.
Security researcher Egor Dimitrenko of Positive Technologies has been credited with discovering and reporting the vulnerabilities to VMware.