¡¾Îó²îͨ¸æ¡¿VMwareδÊÚȨ»á¼ûÎó²î(CVE-2021-22002)

Ðû²¼Ê±¼ä 2021-08-06

0x00 Îó²î¸ÅÊö

CVE   ID

CVE-2021-22002

ʱ    ¼ä

2021-08-05

Àà    ÐÍ

δÊÚȨ»á¼û

µÈ    ¼¶

¸ßΣ

Ô¶³ÌʹÓÃ

ÊÇ

Ó°Ïì¹æÄ£


¹¥»÷ÖØƯºó

µÍ

¿ÉÓÃÐÔ

µÍ

Óû§½»»¥

ÎÞ

ËùÐèȨÏÞ

ÎÞ

PoC/EXP

δ¹ûÕæ

ÔÚҰʹÓÃ

·ñ

 

0x01 Îó²îÏêÇé

image.png

2021Äê8ÔÂ5ÈÕ£¬£¬£¬£¬£¬£¬VMwareÐû²¼Çå¾²¸üУ¬£¬£¬£¬£¬£¬ÐÞ¸´ÁËÆä¶à¸ö²úÆ·ÖеÄ2¸öÇå¾²Îó²î£¨CVE-2021-22002ºÍCVE-2021-22003£©£¬£¬£¬£¬£¬£¬ÕâЩÎó²îÓ°ÏìÁËVMware Workspace One Access (Access)¡¢VMware Identity Manager (vIDM)¡¢VMware vRealize Automation (vRA)¡¢VMware Cloud FoundationºÍvRealize Suite Lifecycle Manager²úÆ·¡£¡£¡£¡£¡£ÏêÇéÈçÏ£º

VMwareδÊÚȨ»á¼ûÎó²î(CVE-2021-22002)

VMware Workspace One Access ºÍ Identity ManagerÖб£´æδÊÚȨ»á¼ûÎó²î£¬£¬£¬£¬£¬£¬Äܹ»ÍøÂç»á¼û443¶Ë¿ÚµÄ¶ñÒâ¹¥»÷Õß¿ÉÒÔͨ¹ý¸Ä¶¯Ö÷»úÍ·À´»á¼û8443¶Ë¿ÚÉϵÄ/cfg webÓ¦ÓóÌÐòºÍÕï¶Ï¶Ëµã£¨Î´¾­Éí·ÝÑéÖ¤£©£¬£¬£¬£¬£¬£¬¸ÃÎó²îµÄCVSSv3ÆÀ·ÖΪ8.6£¨¸ßΣ£©¡£¡£¡£¡£¡£

 

VMwareÐÅϢй¶Îó²î(CVE-2021-22003)

ÓÉÓÚVMware Workspace One Access ºÍ Identity ManagerÒâÍâÔÚ7443¶Ë¿ÚÌṩÁËÒ»¸öµÇ¼½çÃ棬£¬£¬£¬£¬£¬Äܹ»ÍøÂç»á¼û7443¶Ë¿ÚµÄ¶ñÒâ¹¥»÷Õß¿ÉÄÜ»áʵÑéͨ¹ýÓû§Ã¶¾Ù»ò¶ÔµÇ¼¶Ëµã¾ÙÐб©Á¦Æƽ⹥»÷¡£¡£¡£¡£¡£µ«ÓÉÓÚÕ½ÂÔÉèÖúÍÃÜÂëÖØ´óÐÔ£¬£¬£¬£¬£¬£¬¸ÃÎó²î²»Ì«¿ÉÄܱ»Ê¹Ó㬣¬£¬£¬£¬£¬ÆäCVSSv3ÆÀ·ÖΪ3.7£¨µÍΣ£©¡£¡£¡£¡£¡£

 

0x02 ´¦Öóͷ£½¨Òé

ÏÖÔÚÕâЩÎó²îÒѾ­ÐÞ¸´¡£¡£¡£¡£¡£½¨Òé²Î¿¼Ï±íʵʱÉý¼¶¸üУº

²úÆ·

Ó°Ïì°æ±¾

CVE-ID

²¹¶¡

Access

20.10.01

CVE-2021-22002, CVE-2021-22003

https://kb.vmware.com/s/article/85254

20.10

vIDM

3.3.5

CVE-2021-22002, CVE-2021-22003

3.3.4

3.3.3

3.3.2

vRealize Automation

8.x

CVE-2021-22002, CVE-2021-22003

²»ÊÜÓ°Ïì

vRealize Automation (vIDM)

7.6

CVE-2021-22002

²¹¶¡ÍýÏ룺

https://kb.vmware.com/s/article/85255

vRealize Automation (vIDM)

7.6

CVE-2021-22003

²»ÊÜÓ°Ïì

VMware Cloud Foundation (vIDM)

4.x

CVE-2021-22002, CVE-2021-22003

https://kb.vmware.com/s/article/85254

8.x

 

ÏÂÔØÁ´½Ó£º

https://www.vmware.com/security/advisories/VMSA-2021-0016.html

 

0x03 ²Î¿¼Á´½Ó

https://www.vmware.com/security/advisories/VMSA-2021-0016.html

https://kb.vmware.com/s/article/85254

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22002

 

0x04 ¸üа汾

°æ±¾

ÈÕÆÚ

ÐÞ¸ÄÄÚÈÝ

V1.0

2021-08-06

Ê×´ÎÐû²¼

 

0x05 Îĵµ¸½Â¼

CNVD£ºwww.cnvd.org.cn

CNNVD£ºwww.cnnvd.org.cn

CVE£ºcve.mitre.org

NVD£ºnvd.nist.gov

CVSS£ºwww.first.org

 

0x06 ¹ØÓÚ¼øºÚµ£±£Íø

¹Ø×¢ÒÔϹ«Öںţ¬£¬£¬£¬£¬£¬»ñÈ¡¸ü¶à×ÊѶ£º

         image.png