VMware addressed 4 High-Severity flaws in vRealize Operations

VMware released security patches to address multiple vulnerabilities in vRealize Operations, including four high severity flaws.

VMware addressed multiple vulnerabilities in vRealize Operations, including four high severity flaws.

The most severe flaw, tracked as CVE-2021-22025 (CVSS score of 8.6), is a broken access control vulnerability in the vRealize Operations Manager API. An attacker could exploit the vulnerability to gain unauthenticated API access.

“The vRealize Operations Manager API contains a broken access control vulnerability leading to unauthenticated API access. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.6.“ reads the advisory published by the virtualization giant. “An unauthenticated malicious actor with network access to the vRealize Operations Manager API can add new nodes to existing vROps cluster.”

The other high severity flaws addressed by the company are:

• CVE-2021-22024 (CVSS score of 7.5) – Arbitrary log-file read vulnerability in vRealize Operations Manager API.
• CVE-2021-22026 and CVE-2021-22027 (CVSS score of 7.5) – Server Side Request Forgery in vRealize Operations Manager API.

VMware also addressed an Insecure direct object reference vulnerability in vRealize Operations Manager API, tracked as CVE-2021-22023 (CVSS score of 6.6), that could be exploited by a malicious actor with administrative access to vRealize Operations Manager API to modify other users information leading to an account takeover.

Other issues addressed by the company impacted VMware Cloud Foundation and vRealize Suite Lifecycle Manager.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, vRealize Operations )

[adrotate banner=”5″]

[adrotate banner=”13″]