"VMware Patches 2 Flaws in vRealize Operations"

VMware recently patched two critical vulnerabilities in its vRealize Operations (vROps) discovered by Egor Dimitrenko of Positive Technologies. The vROps product offers self-driving IT operations management for private, hybrid, and multi-cloud environments in a unified platform. The vROps Manager API is impacted by a server-side request forgery (SSRF) vulnerability as well as an arbitrary file write issue. The exploitation of the SSRF vulnerability could allow an attacker to abuse the functionality of a server. This flaw can lead to the access or manipulation of information by attackers. The second flaw is an arbitrary file write vulnerability contained by the vROps Manager API that allows attackers to write files to the underlying operating system. It is described as post-authentication because an attacker would need to be authenticated with administrative credentials to exploit the flaw. According to Positive Technologies, attackers could gain remote code execution privileges if the two flaws are chained together. VMware has released patches for the two vulnerabilities across vROps Manager versions 7.5.0 through 8.3.0. This article continues to discuss the critical flaws found in the IT operations management platform vRealize Operations and other recently discovered VMware issues.

BankInfoSecurity reports "VMware Patches 2 Flaws in vRealize Operations"