Security News > 2021 > August > VMware Issues Patches to Fix New Flaws Affecting Multiple Products

VMware Issues Patches to Fix New Flaws Affecting Multiple Products
2021-08-26 00:50

VMware on Wednesday shipped security updates to address vulnerabilities in multiple products that could be potentially exploited by an attacker to take control of an affected system.

The six security weaknesses affect VMware vRealize Operations, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager, as listed below -.

CVE-2021-22022 - Arbitrary file read vulnerability in vRealize Operations Manager API, leading to information disclosure.

CVE-2021-22025 - Broken access control vulnerability in vRealize Operations Manager API, allowing an unauthenticated malicious actor to add new nodes to the existing vROps cluster.

Separately, VMware has also issued patches to remediate a cross-site scripting vulnerability impacting VMware vRealize Log Insight and VMware Cloud Foundation that stems from a case of improper user input validation, enabling an adversary with user privileges to inject malicious payloads via the Log Insight UI that's executed when a victim accesses the shared dashboard link.

The patches also arrive a week after VMware patched a denial-of-service bug in its VMware Workspace ONE UEM console that an actor with access to "/API/system/admins/session" could abuse to render the API unavailable due to improper rate limiting.


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/W1TVjhDXMS0/vmware-issues-patches-to-fix-new-flaws.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-08-30 CVE-2021-22025 Improper Authentication vulnerability in VMWare products
The vRealize Operations Manager API (8.x prior to 8.5) contains a broken access control vulnerability leading to unauthenticated API access.
network
low complexity
vmware CWE-287
7.5
2021-08-30 CVE-2021-22022 Path Traversal vulnerability in VMWare products
The vRealize Operations Manager API (8.x prior to 8.5) contains an arbitrary file read vulnerability.
network
low complexity
vmware CWE-22
4.9

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Vmware 146 11 222 256 102 591