SB2021092118 - Multiple vulnerabilities in VMware vCloud Foundation
Published: September 21, 2021 Updated: February 1, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 16 secuirty vulnerabilities.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-21991)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to the way the vCenter Server handles session tokens. A local user can escalate privileges to Administrator on the vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash).
2) Input validation error (CVE-ID: CVE-2021-21992)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when parsing XML data. A remote user can pass specially crafted XML data to the application and perform a denial of service (DoS) attack.
3) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2021-21993)
The disclosed vulnerability allows a remote user to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input. A remote user can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
4) Improper Authorization (CVE-ID: CVE-2021-22006)
The vulnerability allows a remote attacker to gain unauthorized access to the system.
The vulnerability exist due to improper URI handling in reverse proxy. A remote non-authenticate attacker can send a specially crafted HTTP request to port 443/TCP and access restricted endpoints.5) Information disclosure (CVE-ID: CVE-2021-22007)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output in the Analytics service. A local user can gain unauthorized access to sensitive information on the system.
6) Information disclosure (CVE-ID: CVE-2021-22008)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output in VAPI (vCenter API) service. A remote attacker with access to port 443/TCP can gain unauthorized access to sensitive information on the system.
7) Resource exhaustion (CVE-ID: CVE-2021-22009)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the VAPI (vCenter API) service. A remote attacker can send specially crafted HTTP request to port 443/TCP and perform a denial of service (DoS) attack.
8) Resource exhaustion (CVE-ID: CVE-2021-22010)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the VPXD (Virtual Provisioning X Daemon) service. A remote attacker can send a secially crafted HTTP request to port 443/TCP and consume all available memory resources.
9) Improper Authentication (CVE-ID: CVE-2021-22011)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to missing authentication for an API endpoint in vCenter Server Content Library. A remote non-authenticated attacker with access to port 443/TCP can gain unauthorized access to the system and perform unauthenticated VM network setting manipulation.
10) Code Injection (CVE-ID: CVE-2021-22014)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in VAMI (Virtual Appliance Management Infrastructure). A remote authenticated VAMI user can send a specially crafted request to port 5480/TCP and execute arbitrary code on the target system.
11) Incorrect default permissions (CVE-ID: CVE-2021-22015)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions for files and folders that are set by the system. A local user with access to the system can escalate privilege to root on vCenter Server Appliance.
12) Cross-site scripting (CVE-ID: CVE-2021-22016)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
13) Improper Authorization (CVE-ID: CVE-2021-22017)
The vulnerability allows a remote attacker to gain unauthorized access to the system.
The vulnerability exist due to improper implementation of URI normalization in rhttpproxy. A remote non-authenticate attacker can request a specially crafted URL, bypass rhttpproxy and access internal endpoints.
14) Input validation error (CVE-ID: CVE-2021-22019)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in VAPI (vCenter API) service. A remote attacker can pass specially crafted crafted jsonrpc message to port 5480/TCP and perform a denial of service (DoS) attack.
15) Input validation error (CVE-ID: CVE-2021-22020)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in the Analytics service. A remote user can send a specially crafted request to the application and perform a denial of service (DoS) attack.
16) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-22018)
The vulnerability allows a remote attacker to delete arbitrary files on the system.
The vulnerability exists due to improperly imposed security restrictions in a VMware vSphere Life-cycle Manager plug-in. A remote non-authenticated attacker can send a specially crafted request to port 9087/TCP and delete non critical files.
Remediation
Install update from vendor's website.