VMWare has admitted that vRealize Business for Cloud includes an “unauthorized VAMPI API’ that is vulnerable to hackers looking for remote code execution capabilities on the virtual appliance. The security flaw is critical and scored 9.8 on the ten-point Common Vulnerability Scoring System.
VAMI is the vCenter Server Appliance Management Interface, a tool used by admins to drive its flagship vCenter Server Appliance and manage virtual machine fleets. For VAMI to have the ‘unauthorized’ API which can be used by criminals is a very terrifying thought for users who depend on the product.
The VMware advisory
VMware’s advisory does not explain how the unauthorized API made its way into their product. However, it does reveal that the security mistake means a malicious actor with network access may exploit it and cause unauthorized remote code execution on vRealize Business for Cloud Virtual Appliance.
That is an uncomfortable thought because vRealize Business for Cloud is aware of how private and public cloud resources work and is marketed as the tool to help you view and update the status of critical internal business processes. This helps you to get an overall view of the system health.
Patches are available
There is some good news though since the only version impacted is 7.6. It was released in July 2019. If you are using this version, then it is time you ensured that it is safe. There are patches available to ensure that operations can continue without fearing attacks.
VMware thanked Egor Dimitrenko of Positive Technologies. He found out about the vulnerability and reported it.
It has been named CVE-2021-21984. With the patches in place, the harm should be mitigated. A better solution would be to use a different version that has no such flaws.