VMware today released multiple patches for a range of products including VMware vRealize Operations (prior to version 8.5.0), VMware Cloud Foundation (versions 3.x and 4.x), and vRealize Suite Lifecycle Manager (version 8.x). These CVEs include CVE-2021-22021 through CVE-2021-22027, which include a broken access control vulnerability (CVE-2021-22025 with CVSS score 8.6) that allows for adding new nodes to the vROps clusters , arbitrary read file vulnerabilities that would lead to data breach, and insecure direct reference in vRealize Operations Manager API (CVE-22023) which allows an attacker with previously gained administrative access to alter information and control other accounts. These vulnerabilities were responsibly disclosed by researchers at Positive Technologies, MoyunSec V-Lab, and Vantage Point Security.
Vulnerabilities in VMware solutions represent potentially critical access by attackers. Due to the responsible disclosure cycle, patches have been released and can be accessed via the VMware security advisory found at: https://www.vmware.com/security/advisories/VMSA-2021-0018.html and associated Knowledge Base (KB) articles. Since no known workarounds exist for these CVE, patching and updating will be the primary mitigations. While patching may introduce risks of its own that need to be carefully monitored, we can expect attackers to quickly adjust their tactics to incorporate attacks onto unpatched VMware deployments due to the widespread use of these solutions.