Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

VMware Patches High-Severity Vulnerabilities in vRealize Operations

VMware this week announced patches for a series of vulnerabilities in vRealize Operations, including four considered high severity.

VMware this week announced patches for a series of vulnerabilities in vRealize Operations, including four considered high severity.

The most important of these is CVE-2021-22025 (CVSS score of 8.6), which is described as a broken access control vulnerability in the vRealize Operations Manager API. An attacker able to exploit the vulnerability could gain unauthenticated API access.

According to VMware, an unauthenticated attacker who has network access to the vRealize Operations Manager API could exploit the vulnerability to add new nodes to an existing vROps cluster.

The company also addressed an arbitrary log-file read vulnerability in the vRealize Operations Manager API (CVE-2021-22024, CVSS score of 7.5) and two server-side request forgery (SSRF) vulnerabilities (CVE-2021-22026 and CVE-2021-22027, CVSS score of 7.5).

An unauthenticated threat actor with network access could exploit CVE-2021-22024 to read any log file, or could target CVE-2021-22026 and CVE-2021-22027 to perform SSRF attacks, which can result in information disclosure.

VMware addressed two other security issues in vRealize Operations Manager API, namely (CVE-2021-22023, CVSS score of 6.6), and CVE-2021-22022 (CVSS score of 4.4), which could be exploited to modify the information of other users and take over their accounts, or read any arbitrary file on the server.

According to VMware, vRealize Operations Manager is not the only product impacted by these vulnerabilities. VMware Cloud Foundation (vROps) and vRealize Suite Lifecycle Manager (vROps) are affected as well.

VMware has released patches for all of the affected product versions and encourages customers to install them as soon as possible, to ensure they remain protected.

Advertisement. Scroll to continue reading.

Related: VMware Patches Severe Vulnerability in Workspace ONE Access, Identity Manager

Related: VMware Patches Vulnerabilities in ESXi, ThinApp

Related: VMware Patches Critical Vulnerability in Carbon Black App Control

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Jessica Newman has joined Sophos as General Manager of Global Cyber Insurance.

Breach and attack simulation solutions provider AttackIQ has appointed Pete Luban as Field Chief Information Security Officer.

Matthew Cowell has assumed the role of VP of Strategic Alliances at Nozomi Networks. He previously served in the same role at Dragos.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.