Security News > 2021 > August > VMware Issues Patches to Fix New Flaws Affecting Multiple Products
VMware on Wednesday shipped security updates to address vulnerabilities in multiple products that could be potentially exploited by an attacker to take control of an affected system.
The six security weaknesses affect VMware vRealize Operations, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager, as listed below -.
CVE-2021-22022 - Arbitrary file read vulnerability in vRealize Operations Manager API, leading to information disclosure.
CVE-2021-22025 - Broken access control vulnerability in vRealize Operations Manager API, allowing an unauthenticated malicious actor to add new nodes to the existing vROps cluster.
Separately, VMware has also issued patches to remediate a cross-site scripting vulnerability impacting VMware vRealize Log Insight and VMware Cloud Foundation that stems from a case of improper user input validation, enabling an adversary with user privileges to inject malicious payloads via the Log Insight UI that's executed when a victim accesses the shared dashboard link.
The patches also arrive a week after VMware patched a denial-of-service bug in its VMware Workspace ONE UEM console that an actor with access to "/API/system/admins/session" could abuse to render the API unavailable due to improper rate limiting.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-08-30 | CVE-2021-22025 | Improper Authentication vulnerability in VMWare products The vRealize Operations Manager API (8.x prior to 8.5) contains a broken access control vulnerability leading to unauthenticated API access. | 7.5 |
| 2021-08-30 | CVE-2021-22022 | Path Traversal vulnerability in VMWare products The vRealize Operations Manager API (8.x prior to 8.5) contains an arbitrary file read vulnerability. | 4.9 |