VMware vRealize Business for CloudÔ¶³Ì´úÂëÖ´ÐÐÎó²î£¨CVE-2021-21984£©

Ðû²¼Ê±¼ä 2021-05-06

0x00 Îó²î¸ÅÊö

CVE  ID

CVE-2021-21984

ʱ    ¼ä

2021-05-06

Àà   ÐÍ

RCE

µÈ    ¼¶

ÑÏÖØ

Ô¶³ÌʹÓÃ

ÊÇ

Ó°Ïì¹æÄ£


PoC/EXP

δ¹ûÕæ

ÔÚҰʹÓÃ

·ñ

 

0x01 Îó²îÏêÇé

image.png

vRealize Business for Cloud ÊÇÒ»ÖÖ×Ô¶¯»¯µÄÔÆÓªÒµÖÎÃ÷È·¾ö¼Æ»®£¬£¬£¬£¬£¬£¬£¬Ö¼ÔÚΪITÍŶÓÌṩÔÆÍýÏë¡¢Ô¤ËãºÍÕûÌìÖ°Îö¹¤¾ß¡£¡£¡£¡£

2021Äê05ÔÂ05ÈÕ£¬£¬£¬£¬£¬£¬£¬VMwareÐû²¼Ç徲ͨ¸æ£¬£¬£¬£¬£¬£¬£¬ÐÞ¸´ÁËVMware vRealize Business for CloudÖеÄÒ»¸öÔ¶³Ì´úÂëÖ´ÐÐÎó²î£¨CVE-2021-21984£©£¬£¬£¬£¬£¬£¬£¬¸ÃÎó²îµÄCVSSv3»ù±¾µÃ·ÖΪ9.8¡£¡£¡£¡£

ÓÉÓÚδÊÚȨµÄVAMI API, ¹¥»÷Õß¿ÉÒÔͨ¹ýÖÎÀí½çÃ棨VAMI£©Éý¼¶APIÀ´Ê¹ÓôËÎó²î£¬£¬£¬£¬£¬£¬£¬ÒÔ»ñµÃ¶ÔvRealize Business for CloudÐéÄâ×°±¸µÄ»á¼ûȨÏÞ²¢Ô¶³ÌÖ´ÐдúÂ룬£¬£¬£¬£¬£¬£¬¶øÎÞÐè¾ÙÐÐÉí·ÝÑéÖ¤»òÓû§½»»¥¡£¡£¡£¡£

 

Ó°Ïì¹æÄ£

VMware vRealize Business for Cloud < 7.6.0

 

0x02 ´¦Öóͷ£½¨Òé

ÏÖÔÚ´ËÎó²îÒѾ­ÐÞ¸´£¬£¬£¬£¬£¬£¬£¬½¨Ò龡¿ìÏÂÔز¢Ó¦ÓÃvRealize Business for Cloud 7.6Çå¾²²¹¶¡³ÌÐòISOÎļþ¡£¡£¡£¡£

ÏÂÔØÁ´½Ó£º

https://kb.vmware.com/s/article/83475

 

0x03 ²Î¿¼Á´½Ó

https://www.vmware.com/security/advisories/VMSA-2021-0007.html

https://www.bleepingcomputer.com/news/security/vmware-fixes-critical-rce-bug-in-vrealize-business-for-cloud/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21984

 

 

0x04 ʱ¼äÏß

2021-05-05  VMwareÐû²¼Ç徲ͨ¸æ

2021-05-06  VSRCÐû²¼Ç徲ͨ¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö±ê×¼¹ÙÍø£ºhttp://www.first.org/cvss/

image.png