Security Week /
VMware this week announced patches for a series of vulnerabilities in vRealize Operations, including four considered high severity.
The most important of these is CVE-2021-22025 (CVSS score of 8.6), which is described as a broken access control vulnerability in the vRealize Operations Manager API. An attacker able to exploit the vulnerability could gain unauthenticated API access.
According to VMware, an unauthenticated attacker who has network access to the vRealize Operations Manager API could exploit the vulnerability to add new nodes to an existing vROps cluster.
The company also addressed an arbitrary log-file read vulnerability in the vRealize Operations Manager API (CVE-2021-22024, CVSS score of 7.5) and two server-side request forgery (SSRF) vulnerabilities (CVE-2021-22026 and CVE-2021-22027, CVSS score of 7.5).