Alert Logic® is actively investigating a new vulnerability, CVE-2021-21972, in the vRealize Operations plugin of VMware vCenter Server. This vulnerability allows for arbitrary upload of a file that can lead to implanting of malicious files, such as a JSP web shell. Exploiting this vulnerability would then grant attackers command execution of unpatched devices and potentially afford lateral movement across networks.
It is recommended for customers running versions 7.0, 6.7, or 6.5 to update your vCenter version to 7.0 U1c, 6.7 U3l, or 6.5 U3n, respectively. For more information about mitigation, refer to the Recommendations for Mitigation section in this article.
CVE-2021-21972 impacts the vRealize Operations plugin of VMware vCenter Server, which is a type of server that is typically deployed within larger enterprise networks as a centralized management utility through which personnel manage VMware products installed on local workstations.
For more information, refer to the security advisory from VMware.
Alert Logic Coverage
Vulnerability Scanning: Alert Logic has developed vulnerability scan coverage to identify vulnerable assets.
Network IDS: Alert Logic is actively researching whether telemetry or specific signatures can be enabled to detect this threat.
Web Application Firewall: Alert Logic has released a virtual patch for Web Security Manager that detects and blocks the .tar exploit file when uploaded to the uploadova service. Customers with the EMERGING_THREATS virtual patch group enabled will automatically get protection from this exploit. As an alternative, the .tar file extension can be banned in the upload filter configuration.
These patches are available to customers running version 4.6 of the Alert Logic WAF appliance. For assistance with determining whether you have enabled virtual patches or to discuss updating your appliance to version 4.6 to take advantage of these patches, submit a ticket to our Alert Logic Security Operations Center. If you plan to newly enable virtual patches, Alert Logic highly recommends working with a Web Security Expert prior to enabling any new patches to ensure proper tuning and continued availability.
Log Management: At this time, it is not expected that log detection is appropriate for this threat; however, Alert Logic will continue this assessment.
Recommendations for Mitigation
VMware has released updates to remediate this vulnerability. It is recommended to apply updates to affected versions as soon as possible:
- Version 7.0: Fixed Version 7.0 U1c
- Version 6.7: Fixed Version 6.7 U3l
- Version 6.5: Fixed Version 6.5 U3n
If you are not able to immediately apply an update, a workaround is also available in VMware’s security advisory.
This section will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click the FOLLOW button at the top of the article. You must be signed into the Support Center using your Alert Logic product credentials to follow this article.