Detections
Analytics

VMware vRealize Operations Manager 7.5.x / 8.x Multiple Vulnerabilities (VMSA-2021-0018)

high Nessus Plugin ID 152873

Language:

Synopsis

VMware vRealize Operations running on the remote host is affected by multiple vulnerabilities.

Description

The version of VMware vRealize Operations (vROps) Manager running on the remote web server is 7.5.x prior to 7.5.0.18528913, 8.0.0 prior to 8.0.1.18442173, or 8.1.0 prior to 8.1.1.18442224 or 8.2.0 prior to 8.2.0.18439239 or 8.3.0 prior to 8.3.0.18439213 or 8.4.0 prior to 8.4.0.18456797. It is, therefore, affected by a multiple vulnerabilities.

- The vRealize Operations Manager API contains a broken access control vulnerability leading to unauthenticated API access. (CVE-2021-22025)

 - The vRealize Operations Manager API contains an arbitrary log-file read vulnerability. (CVE-2021-22024)

 - The vRealize Operations Manager API contains a Server Side Request Forgery in multiple end points. (CVE-2021-22026, CVE-2021-22027)

Solution

Upgrade to VMware vRealize Operations Manager version 7.5.0.18528913, 8.0.1.18442173, 8.1.1.18442224, 8.2.0.18439239, 8.3.0.18439213, 8.4.0.18456797 or later.

See Also

https://www.vmware.com/security/advisories/VMSA-2021-0018.html

Plugin Details

Severity: High

ID: 152873

File Name: vmware_vrealize_operations_manager_VMSA-2021-0018.nasl

Version: 1.4

Type: remote

Family: Misc.

Published: 8/27/2021

Updated: 5/9/2022

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2021-22023

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2021-22027

Vulnerability Information

CPE: cpe:/a:vmware:vrealize_operations

Required KB Items: installed_sw/vRealize Operations Manager

Exploit Ease: No known exploits are available

Patch Publication Date: 8/25/2021

Vulnerability Publication Date: 8/25/2021

Reference Information

CVE: CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027

IAVA: 2021-A-0399

VMSA: 2021-0018