VMware addressed multiple vulnerabilities in vRealize Operations, including four high severity flaws.
The most severe flaw, tracked as CVE-2021-22025 (CVSS score of 8.6), is a broken access control vulnerability in the vRealize Operations Manager API. An attacker could exploit the vulnerability to gain unauthenticated API access.
“The vRealize Operations Manager API contains a broken access control vulnerability leading to unauthenticated API access. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.6.“ reads the advisory published by the virtualization giant. “An unauthenticated malicious actor with network access to the vRealize Operations Manager API can add new nodes to existing vROps cluster.”
The other high severity flaws addressed by the company are:
VMware also addressed an Insecure direct object reference vulnerability in vRealize Operations Manager API, tracked as CVE-2021-22023 (CVSS score of 6.6), that could be exploited by a malicious actor with administrative access to vRealize Operations Manager API to modify other users information leading to an account takeover.
Other issues addressed by the company impacted VMware Cloud Foundation and vRealize Suite Lifecycle Manager.
(SecurityAffairs – hacking, vRealize Operations )