Critical bug in VMware data center security product could enable product takeover

VMware issued an advisory informing users about a critical bug that exists in all versions of its VMware Carbon Black Cloud Workload product before 1.0.1 and could be exploited by attackers to evade authentication and take over the system, The Hacker News reports. Tracked as CVE-2021-21982 and having a 9.1 rating under the CVSS scoring system, the vulnerability involves a URL on the VMware Carbon Black Cloud Workload appliance’s administrative interface that can be “manipulated to bypass authentication” and grant a threat actor access to the appliance’s administration API, and from there view and modify administrative configuration settings, VMware said in its release. VMware has released a fix for the vulnerability as well as for two unrelated flaws in its vRealize Operations Manager software, CVE-2021-21975 and CVE-2021-21983, which attackers could use to perform Server Side Request Forgery attacks to steal administrator credentials and insert files into the underlying photon operating system, the company said.