VMware issued a security advisory for two vulnerabilities that impact vRealize Operations products.
An attacker could exploit one of these vulnerabilities and take control of an unpatched system.
The VMware updates address server side request forgery and arbitrary file write vulnerabilities (CVE-2021-21975 and CVE-2021-21983).
CVE-2021-21975
For the first issue, VMware vRealize Operations Manager API contains a server side request forgery vulnerability CVE-2021-21975.
“A malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials,” VMware stated in the advisory.
The vulnerability has a CVSSv3 base score of 8.6 or High severity.
CVE-2021-21983
For the second issue, vRealize Operations Manager API contains an arbitrary file write vulnerability CVE-2021-21983.
“An authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system,” VMware noted in the advisory.
The vulnerability has a CVSSv3 base score of 7.2 or High severity.
VMware has provided patches and workarounds to address these vulnerabilities in impacted VMware products.