CVE-2021-40438 in vRealize Operations 8.5 and below
search cancel

CVE-2021-40438 in vRealize Operations 8.5 and below

book

Article ID: 344371

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

In vRealize Operations 8.5 and below, a security scan finds the appliance is vulnerable to:
  • CVE-2021-40438
https://nvd.nist.gov/vuln/detail/CVE-2021-40438
A crafted request uri-path can cause mod_proxy to forward the request to an origin server chosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.


Environment

VMware vRealize Operations 8.4.x
VMware vRealize Operations 8.3.x
VMware vRealize Operations 8.5.x
VMware vRealize Operations 8.2.x
VMware vRealize Operations 8.0.x
VMware vRealize Operations 8.1.x

Resolution

CVE-2021-40438 is resolved in vRealize Operations version 8.6 or later, available at VMware Downloads.
Upgrade to vRealize Operations 8.6 or later to resolve this issue.

CVE-2021-40438 has also been resolved in the following Hot Fix releases:
vRealize Operations 8.1.1 Hot Fix 10 (87224)
vRealize Operations 8.2 Hot Fix 10 (87225)
vRealize Operations 8.3 Hot Fix 9 (87226)
vRealize Operations 8.4 Hot Fix 6 (87227)
vRealize Operations 8.5 Hot Fix 5 (87228)