www.ibm.com
Open in
urlscan Pro
2600:141b:7000:686::1e89
Public Scan
URL:
https://www.ibm.com/support/pages/node/6507111
Submission: On August 10 via api from CA — Scanned from CA
Submission: On August 10 via api from CA — Scanned from CA
Form analysis
3 forms found in the DOMPOST /support/pages/node/6507111
<form action="/support/pages/node/6507111" method="post" id="openid-connect-login-form" accept-charset="UTF-8">
<div><input data-drupal-selector="edit-openid-connect-client-generic-login" type="submit" id="edit-openid-connect-client-generic-login" name="generic" value="Log in with Generic" class="button js-form-submit form-submit">
</div><input autocomplete="off" data-drupal-selector="form-kjm9wo8yi7owj6-iebgkyg-wwa1srv1xs9vlzbtaeiq" type="hidden" name="form_build_id" value="form-kJm9wo8Yi7OWj6_iEbGKyg_WWA1srV1Xs9vLzbtAEiQ">
<input data-drupal-selector="edit-openid-connect-login-form" type="hidden" name="form_id" value="openid_connect_login_form">
</form>
<form class="ibm-row-form ibm-home-search ibm" enctype="multipart/form-data" id="spng-search" ng-submit="omniType()">
<input id="spng-search-query" class="bx--search-input" name="text" size="40" type="search" autocomplete="off" placeholder="Search support or find a product">
<a title="Search" aria-label="Search" href="#" tabindex="-1" id="spng-search-button" ng-click="omniButton()" class="ibm-search-link common-search-link"></a>
<div id="spng-search-typeahead-wrapper" style="display:none" class="search-results-wrapper">
<div id="spng-search-typeahead" class="common-search-results">
<div id="spng-spinner" style="display:none">
<h2 class="ibm-h2 ibm-h4 ibm-bold"><span class="ibm-spinner"> </span></h2>
</div>
<div id="sp-no-results" style="display:none">
<div class="results">
<p>No results were found for your search query.</p>
<div class="ibm-rule">
<hr>
</div>
<h5 class="ibm-h5"><strong>Tips</strong></h5>
<p>To return expected results, you can:</p>
<ul>
<li><strong>Reduce the number of search terms.</strong> Each term you use focuses the search further.</li>
<li><strong>Check your spelling.</strong> A single misspelled or incorrectly typed term can change your result.</li>
<li><strong>Try substituting synonyms for your original terms.</strong> For example, instead of searching for "java classes", try "java training"</li>
<li><strong>Did you search for an IBM acquired or sold product ?</strong> If so, follow the appropriate link below to find the content you need.</li>
</ul>
</div>
</div>
<div id="sp-doc-failure" style="display:none">
<div class="category">Our apologies</div>
<div class="results">
<p>Search results are not available at this time. Please try again later or use one of the other support options on this page.</p>
</div>
</div>
<div id="sp-prev-products" class="result_section"></div>
<div id="sp-wd-results" class="result_section"></div>
<div id="sp-prod-results" class="result_section"></div>
<div id="sp-doc-results" class="result_section"></div>
</div>
</div>
</form>
POST /support/pages/node/6507111
<form class="node-security-bulletin-6507111-vote-field-was-this-topic-helpful__vote-vote-votingapi-useful-form vote-form" id="vote-form"
data-drupal-selector="node-security-bulletin-6507111-vote-field-was-this-topic-helpful-vote-vote-votingapi-useful-form" action="/support/pages/node/6507111" method="post" accept-charset="UTF-8">
<div class="js-form-item form-item js-form-type-select form-type-select js-form-item-value form-item-value form-no-label">
<select autocomplete="off" data-result-value="-1" data-vote-value="-1" data-style="default" data-show-own-vote="false" data-drupal-selector="edit-value" id="edit-value" name="value" class="form-select select2-widget ibm-widget-processed"
data-jquery-once-autocomplete="true" data-select2-autocomplete-list-widget="true" search-pagesize="10" style="display: none; width: 124px;" tabindex="0" aria-hidden="false">
<option value="-1">Not useful</option>
<option value="1">Useful</option>
</select>
<div class="useful-rating" role="complementary" aria-label="Was this topic helpful?">
<div class="like">
<a href="#"><button aria-label="Yes" tabindex="0" class="ibm-margin-right-1 bx--btn bx--btn--sm bx--btn--tertiary" type="button"><svg focusable="false" preserveAspectRatio="xMidYMid meet" xmlns="http://www.w3.org/2000/svg" fill="currentColor" aria-hidden="true" width="16" height="16" viewBox="0 0 32 32" class="bx--btn__icon"><path d="M26,12H20V6a3.0033,3.0033,0,0,0-3-3H14.8672a2.0094,2.0094,0,0,0-1.98,1.7173l-.8453,5.9165L8.4648,16H2V30H23a7.0078,7.0078,0,0,0,7-7V16A4.0045,4.0045,0,0,0,26,12ZM8,28H4V18H8Zm20-5a5.0057,5.0057,0,0,1-5,5H10V17.3027l3.9578-5.9365L14.8672,5H17a1.0008,1.0008,0,0,1,1,1v8h8a2.0025,2.0025,0,0,1,2,2Z"></path></svg><span class="text-yes">Yes</span><span id="like" style="display:none;">999</span></button></a>
</div>
<div class="dislike">
<a href="#"><button aria-label="No" tabindex="0" class="bx--btn bx--btn--sm bx--btn--tertiary" type="button"><svg focusable="false" preserveAspectRatio="xMidYMid meet" xmlns="http://www.w3.org/2000/svg" fill="currentColor" aria-hidden="true" width="16" height="16" viewBox="0 0 32 32" class="bx--btn__icon"><path d="M30,16V9a7.0078,7.0078,0,0,0-7-7H2V16H8.4648l3.5774,5.3662.8453,5.9165A2.0094,2.0094,0,0,0,14.8672,29H17a3.0033,3.0033,0,0,0,3-3V20h6A4.0045,4.0045,0,0,0,30,16ZM8,14H4V4H8Zm20,2a2.0025,2.0025,0,0,1-2,2H18v8a1.0008,1.0008,0,0,1-1,1H14.8672l-.9094-6.3662L10,14.6973V4H23a5.0057,5.0057,0,0,1,5,5Z"></path></svg><span class="text-no">No</span><span id="dislike" style="display:none;">No</span></button></a>
</div>
</div>
</div>
<input autocomplete="off" data-drupal-selector="form-muoidi987giznt-q1-rpqutcxudkyqytuye0vsc6x0" type="hidden" name="form_build_id" value="form-mUoidI987GiZNT-q1_-rpQuTcXuDKyqYtUye0VSC6x0">
<input data-drupal-selector="edit-node-security-bulletin-6507111-vote-field-was-this-topic-helpful-vote-vote-votingapi-useful-form" type="hidden" name="form_id"
value="node_security_bulletin_6507111_vote_field_was_this_topic_helpful__vote_vote_votingapi_useful_form">
<input data-drupal-selector="edit-submit" type="submit" id="edit-submit--2" name="op" value="Save" class="button button--primary js-form-submit form-submit" data-once="drupal-ajax" style="display: none;">
</form>
Text Content
Support My IBM Log in IBM Support No results were found for your search query. -------------------------------------------------------------------------------- TIPS To return expected results, you can: * Reduce the number of search terms. Each term you use focuses the search further. * Check your spelling. A single misspelled or incorrectly typed term can change your result. * Try substituting synonyms for your original terms. For example, instead of searching for "java classes", try "java training" * Did you search for an IBM acquired or sold product ? If so, follow the appropriate link below to find the content you need. Our apologies Search results are not available at this time. Please try again later or use one of the other support options on this page. SECURITY BULLETIN: MULTIPLE VULNERABILITIES IN VMWARE VCENTER AFFECT IBM CLOUD PAK SYSTEM SECURITY BULLETIN SUMMARY Multiple vulnerabilities in VMware vCenter plugins affect IBM Cloud Pak System. IBM Cloud Pak System in response to the vulnerabilities in VMware vCenter, provides the new release of IBM Cloud Pak System V2.3.3.4, with a new vCenter Image. VULNERABILITY DETAILS CVEID: CVE-2021-21985 DESCRIPTION: VMware vCenter Server and Cloud Foundation could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of user-supplied input by the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. By sending a specially-crafted request using port 443, an attacker could exploit this vulnerability to execute arbitrary commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. CVSS Base score: 9.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/202404 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2021-21986 DESCRIPTION: VMware vCenter Server and Cloud Foundation could allow a remote attacker to bypass security restrictions, caused by a flaw in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. By sending a specially-crafted request using port 443, an attacker could exploit this vulnerability to bypass authentication and perform actions allowed by the impacted plug-ins without authentication. CVSS Base score: 6.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/202403 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) CVEID: CVE-2021-21991 DESCRIPTION: VMware vCenter Server and Cloud Foundation could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of session tokens. An attacker could exploit this vulnerability to escalate privileges to Administrator on the vSphere Client. CVSS Base score: 8.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209752 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) CVEID: CVE-2021-21992 DESCRIPTION: VMware vCenter Server and Cloud Foundation are vulnerable to a denial of service, caused by improper XML entity parsing. A remote authenticated attacker could exploit this vulnerability to cause a denial of service on the vCenter Server host. CVSS Base score: 6.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209751 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2021-21993 DESCRIPTION: VMware vCenter Server and Cloud Foundation are vulnerable to server-side request forgery, caused by improper validation of URLs in vCenter Server Content Library. By sending a specially-crafted POST request, a remote authenticated attacker could exploit this to obtain sensitive information. CVSS Base score: 4.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209750 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2021-22006 DESCRIPTION: VMware vCenter Server and Cloud Foundation could allow a remote attacker to bypass security restrictions, caused by improper handling of the URI by endpoints. An attacker could exploit this vulnerability to access restricted endpoints. CVSS Base score: 8.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209748 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L) CVEID: CVE-2021-22008 DESCRIPTION: VMware vCenter Server could allow a remote attacker to obtain sensitive information. By sending a specially crafted jsonrpc message, a remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209746 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2021-22009 DESCRIPTION: VMware vCenter Server and Cloud Foundation are vulnerable to a denial of service, caused by an error in VAPI (vCenter API) service. A remote attacker could exploit this vulnerability to consume excessive memory resources. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209745 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2021-22010 DESCRIPTION: VMware vCenter Server and Cloud Foundation are vulnerable to a denial of service, caused by an error in VPXD (Virtual Provisioning X Daemon) service. A remote attacker could exploit this vulnerability to consume excessive memory resources. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209744 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2021-22011 DESCRIPTION: VMware vCenter Server and Cloud Foundation could allow a remote attacker to bypass security restrictions, caused by an unauthenticated API endpoint vulnerability. An attacker could exploit this vulnerability to manipulate VM network settings. CVSS Base score: 8.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209743 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H) CVEID: CVE-2021-22016 DESCRIPTION: VMware vCenter Server is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209738 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) CVEID: CVE-2021-22017 DESCRIPTION: Rhttproxy as used in VMware vCenter Server and Cloud Foundation could allow a remote attacker to bypass security restrictions, caused by the improper implementation of URI normalization. An attacker could exploit this vulnerability to bypass proxy leading to internal endpoints being accessed. CVSS Base score: 7.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209737 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) AFFECTED PRODUCTS AND VERSIONS Affected Product(s) Version(s) IBM Cloud Pak SystemV2.3.0.1, V.2.3.1.1, v.2.3.2.0 IBM Cloud Pak Systemv2.3.3.0, v.2.3.3.1, v.2.3.3.2, v.2.3.3.3, v2.3.3.3 iFix 1 REMEDIATION/FIXES For unsupported or end of life release recommendation is to upgrade to supported fixed release of the product. IBM Cloud Pak System, in response to the vulnerabilities above provides the new release of IBM Cloud Pak System V2.3.3.4, with new Windows vCenter Image update to vCenter 6.7 U3o. For IBM Cloud Pak System V2.3.0.1, V.2.3.1.1, v.2.3.2.0, v2.3.3.0, v.2.3.3.1, v.2.3.3.2, v.2.3.3.3, v2.3.3.3 iFix 1 upgrade to IBM Cloud Pak System v2.3.3.4 at Fix Central If you are not able to upgrade or for earlier releases, until you upgrade apply workaround as provided here. Information on upgrading can be found here: http://www.ibm.com/support/docview.wss?uid=ibm10887959. WORKAROUNDS AND MITIGATIONS None. GET NOTIFIED ABOUT FUTURE SECURITY BULLETINS Subscribe to My Notifications to be notified of important product support alerts like this. REFERENCES Complete CVSS v3 Guide On-line Calculator v3 Off VMSA-2021-0010 VMSA-2021-0020 RELATED INFORMATION IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog ACKNOWLEDGEMENT CHANGE HISTORY 14 Oct 2021: Initial Publication *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. DISCLAIMER According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions. DOCUMENT LOCATION Worldwide [{"Business Unit":{"code":"BU025","label":"IBM Cloud and Cognitive Software"},"Product":{"code":"SSFQWQ","label":"IBM Cloud Pak System"},"Component":"","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"2.3","Edition":""}] WAS THIS TOPIC HELPFUL? Not usefulUseful Yes999 NoNo DOCUMENT INFORMATION More support for: IBM Cloud Pak System Software version: 2.3 Operating system(s): Linux, Windows Document number: 6507111 Modified date: 06 May 2022 UID ibm16507111 Page Feedback Close SHARE YOUR FEEDBACK NEED SUPPORT? * Submit feedback to IBM Support * 1-800-IBM-7378 (USA) * Directory of worldwide contacts Top products & platforms Industries Artificial intelligence Blockchain Business operations Cloud computing Data & Analytics Hybrid cloud IT infrastructure Security Supply chain What is Hybrid Cloud? What is Artificial intelligence? What is Cloud Computing? What is Kubernetes? What are Containers? What is DevOps? What is Machine Learning? IBM Consulting Communities Developer education Support - Download fixes, updates & drivers IBM Research Partner with us - PartnerWorld Training - Courses Upcoming events & webinars Annual report Career opportunities Corporate social responsibility Diversity & inclusion Industry analyst reports Investor relations News & announcements Thought leadership Security, privacy & trust About IBM LinkedIn Twitter Instagram Subscription Center Contact IBM Privacy Terms of use Accessibility United States — English Share your feedback IBM web domains ibm.com, ibm.dev, ibm.org, ibm-zcouncil.com, insights-on-business.com, jazz.net, merge.com, micromedex.com, mobilebusinessinsights.com, promontory.com, proveit.com, ptech.org, resource.com, s81c.com, securityintelligence.com, skillsbuild.org, softlayer.com, storagecommunity.org, strongloop.com, teacheradvisor.org, think-exchange.com, thoughtsoncloud.com, trusteer.com, truven.com, truvenhealth.com, alphaevents.webcasts.com, betaevents.webcasts.com, ibm-cloud.github.io, ibmbigdatahub.com, bluemix.net, mybluemix.net, ibm.net, ibmcloud.com, redhat.com, galasa.dev, blueworkslive.com, swiss-quantum.ch, altoromutual.com, blueworkslive.cn, blueworkslive.com, cloudant.com, ibm.ie, ibm.fr, ibm.com.br, ibm.co, ibm.ca, silverpop.com, community.watsonanalytics.com, eclinicalos.com, datapower.com, ibmmarketingcloud.com, thinkblogdach.com, truqua.com, my-invenio.com, skills.yourlearning.ibm.com, bluewolf.com, asperasoft.com, instana.com, taos.com, envizi.com About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your Cookie preferences options and IBM’s privacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here. Accept all Required only