A critical vulnerability in the VMware Carbon Black Cloud Workload equipment could be exploited to bypass authentication and just take regulate of vulnerable methods.
Tracked as CVE-2021-21982, the flaw is rated 9.1 out of a optimum of 10 in the CVSS scoring system and influences all variations of the products prior to 1..1.
Carbon Black Cloud Workload is a information center stability product from VMware that aims to shield significant servers and workloads hosted on vSphere, the firm’s cloud-computing virtualization system.
“A URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication,” VMware mentioned in its advisory, therefore enabling an adversary with network entry to the interface to get accessibility to the administration API of the appliance.
Armed with the obtain, a destructive actor can then see and alter administrative configuration settings, the enterprise included.
In addition to releasing a deal with for CVE-2021-21982, VMware has also addressed two separate bugs in its vRealize Functions Supervisor option that an attacker could exploit with community obtain to the API to have out Server Aspect Request Forgery (SSRF) assaults to steal administrative credentials (CVE-2021-21975) and publish data files to arbitrary areas on the underlying photon working procedure (CVE-2021-21983).
The solution is primarily intended to watch and optimize the functionality of the virtual infrastructure and assist characteristics these as workload balancing, troubleshooting, and compliance management.
Egor Dimitrenko, a safety researcher with Optimistic Systems, has been credited with reporting all 3 flaws.
“The primary danger is that administrator privileges allow attackers to exploit the next vulnerability—CVE-2021-21983 (an arbitrary file create flaw, scored 7.2), which will allow executing any commands on the server,” Dimitrenko stated. “The mix of two protection flaws would make the condition even more risky, as it allows an unauthorized attacker to obtain manage over the server and go laterally within the infrastructure.”
VMware has introduced patches for vRealize Operations Supervisor versions 7.., 7.5., 8..1, 8.1.1, 8.2. and 8.3.. The corporation has also printed workarounds to mitigate the hazards related with the flaws in situations where the patch are not able to be mounted or is not accessible.