Updated VMware has admitted its vRealize Business for Cloud product includes an “unauthorised VAMI API” that can be exploited to achieve remote code execution on the virtual appliance. The security flaw is rated critical, scoring 9.8 on the ten-point Common Vulnerability Scoring System.
VMware’s advisory says the security slip-up means “a malicious actor with network access may exploit this issue causing unauthorised remote code execution on vRealize Business for Cloud Virtual Appliance."
That’s scary, because vRealize Business for Cloud is aware of the disposition of private and public cloud resources and is billed as offering the chance to “view and update the status of critical internal business processes to understand the overall system health.”
The good news is that only version 7.6 of the product is impacted, although it was released in July 2019. Patches can be accessed here.
VMware has thanked Egor Dimitrenko of Positive Technologies for reporting the vulnerability, which is known as CVE-2021-21984. ®
Updated at 2330 UTC, May 6
VMware has responded to The Register's inquiries about the "unauthorized API" we reported yesterday as follows:
This issue is specific to vRealize Business for Cloud, and other virtual appliances are not impacted. A KB [knowledge base] article inaccurately described this as an issue with the Virtual Appliance Management Interface, and that KB has been updated for accuracy.”
The VMware article now blames the flaw on "an unauthorized end point" rather than a rogue API.
Which leaves the bug still rather scary, but means vAdmins no longer have the worry of vCenter having very nasty undocumented features.