VMware this week announced patches for a series of vulnerabilities in vRealize Operations, including four considered high severity.
The most important of these is CVE-2021-22025 (CVSS score of 8.6), which is described as a broken access control vulnerability in the vRealize Operations Manager API. An attacker able to exploit the vulnerability could gain unauthenticated API access.
According to VMware, an unauthenticated attacker who has network access to the vRealize Operations Manager API could exploit the vulnerability to add new nodes to an existing vROps cluster.
The company also addressed an arbitrary log-file read vulnerability in the vRealize Operations Manager API (CVE-2021-22024, CVSS score of 7.5) and two server-side request forgery (SSRF) vulnerabilities (CVE-2021-22026 and CVE-2021-22027, CVSS score of 7.5).
An unauthenticated threat actor with network access could exploit CVE-2021-22024 to read any log file, or could target CVE-2021-22026 and CVE-2021-22027 to perform SSRF attacks, which can result in information disclosure.
VMware addressed two other security issues in vRealize Operations Manager API, namely (CVE-2021-22023, CVSS score of 6.6), and CVE-2021-22022 (CVSS score of 4.4), which could be exploited to modify the information of other users and take over their accounts, or read any arbitrary file on the server.
According to VMware, vRealize Operations Manager is not the only product impacted by these vulnerabilities. VMware Cloud Foundation (vROps) and vRealize Suite Lifecycle Manager (vROps) are affected as well.
VMware has released patches for all of the affected product versions and encourages customers to install them as soon as possible, to ensure they remain protected.
Related: VMware Patches Severe Vulnerability in Workspace ONE Access, Identity Manager
Related: VMware Patches Vulnerabilities in ESXi, ThinApp
Related: VMware Patches Critical Vulnerability in Carbon Black App Control

More from Ionut Arghire
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- Latitude Financial Services Data Breach Impacts 300,000 Customers
- US Government Warns Organizations of LockBit 3.0 Ransomware Attacks
- New ‘Trigona’ Ransomware Targets US, Europe, Australia
- New Espionage Group ‘YoroTrooper’ Targeting Entities in European, CIS Countries
- CISA Seeks Public Opinion on Cloud Application Security Guidance
Latest News
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- New York Man Arrested for Running BreachForums Cybercrime Website
- Huawei Has Replaced Thousands of US-Banned Parts With Chinese Versions: Founder
- Latitude Financial Services Data Breach Impacts 300,000 Customers
