VMware has patched several major vulnerabilities in the Carbon Black Cloud Workload and VMware vRealize Operations (vROps).
The vulnerability in Carbon Black Cloud Workload was identified as CVE-2021-21982 and scored 9.1 out of 10 on the CVSS v3. The bug was discovered by Yegor Dimitrenko from Positive Technologies and is associated with the administrative interface. It allows attackers to bypass authentication by manipulating the URL in the interface.Thus, an attacker could exploit the error to execute arbitrary code on the server.
Dmitrienko also identified two vulnerabilities in VMware vRealize Operations (vROps), solutions for monitoring and optimizing the performance of virtual infrastructure, as well as troubleshooting it.
A more dangerous vulnerability was discovered in the vROps API. The bug with the identifier CVE-2021-21975 and the CVSS v3 score of 8.6 is classified as SSRF vulnerability, that is, it allows forgery of requests on the server side. With its help, any unauthorized attacker can steal administrator credentials and gain access to the application with maximum privileges, which allows changing the application’s configuration and intercepting any data in it.
Among the reasons for the emergence of vulnerabilities like CVE-2021-21975, the researcher names the desire of developers to solve the tasks assigned to them in the most convenient ways, which are not always effective from a security point of view.
The CVE-2021-21983 vulnerability is often caused by insufficient filtering of user input.
Let me also remind you that we wrote that VMware closes RCE vulnerability in ESXi and Horizon.