Home News VMware Issues Patches to Fix New Flaws Affecting Multiple Products

    VMware Issues Patches to Fix New Flaws Affecting Multiple Products

    12
    0


    VMware

    VMware on Wednesday shipped security updates to handle vulnerabilities in a number of merchandise that might be probably exploited by an attacker to take management of an affected system.

    The six safety weaknesses (from CVE-2021-22022 by CVE-2021-22027, CVSS scores: 4.4 – 8.6) have an effect on VMware vRealize Operations (previous to model 8.5.0), VMware Cloud Basis (variations 3.x and 4.x), and vRealize Suite Lifecycle Supervisor (model 8.x), as listed beneath –

    • CVE-2021-22022 (CVSS rating: 4.4) – Arbitrary file learn vulnerability in vRealize Operations Supervisor API, resulting in data disclosure
    • CVE-2021-22023 (CVSS rating: 6.6) – Insecure direct object reference vulnerability in vRealize Operations Supervisor API, enabling an attacker with administrative entry to change different customers’ data and seize management of an account
    • CVE-2021-22024 (CVSS rating: 7.5) – Arbitrary log-file learn vulnerability in vRealize Operations Supervisor API, leading to delicate data disclosure
    • CVE-2021-22025 (CVSS rating: 8.6) – Damaged entry management vulnerability in vRealize Operations Supervisor API, permitting an unauthenticated malicious actor so as to add new nodes to the prevailing vROps cluster
    • CVE-2021-22026 and CVE-2021-22027 (CVSS rating: 7.5) – Server Aspect Request Forgery vulnerability in vRealize Operations Supervisor API, resulting in data disclosure

    Credited with reporting the issues are Egor Dimitrenko of Optimistic Applied sciences (CVE-2021-22022 and CVE-2021-22023) and thiscodecc of MoyunSec V-Lab (from CVE-2021-22024 to CVE-2021-22027).

    Stack Overflow Teams

    Individually, VMware has additionally issued patches to remediate a cross-site scripting (XSS) vulnerability impacting VMware vRealize Log Perception and VMware Cloud Basis that stems from a case of improper consumer enter validation, enabling an adversary with consumer privileges to inject malicious payloads by way of the Log Perception UI that is executed when a sufferer accesses the shared dashboard hyperlink.

    The flaw, which has been assigned the identifier CVE-2021-22021, has been rated 6.5 for severity on the CVSS scoring system. Marcin Kot of Prevenity and Tran Viet Quang of Vantage Level Safety have been credited for independently discovering and reporting the vulnerability.

    The patches additionally arrive every week after VMware patched a denial-of-service bug in its VMware Workspace ONE UEM console (CVE-2021-22029, CVSS rating: 5.3) that an actor with entry to “/API/system/admins/session” might abuse to render the API unavailable attributable to improper price limiting.





    Source link