Bugs aplenty as VMware, Cisco and F5 drop security updates
Two critical updates from Cisco, remote code execution flaws in F5's Big-IP, and a half-dozen VMware security holes are among the more pressing issues for admins to address.
It's shaping up to be a busy week for administrators as Cisco, VMware, F5 and OpenSSL have all released security updates for newly disclosed vulnerabilities.
So far there have been no reports of any of the bugs being exploited in the wild, but testing and installing the fixes as soon as possible is advised, as a number of the vulnerabilities could allow for code execution.
In Cisco's case, there are a total 17 CVE-listed vulnerabilities addressed by 16 different advisories, though most networks will only need a portion of those updates. The most serious of the flaws is CVE-2021-1577, an arbitrary read/write flaw in Application Policy Infrastructure Controller. That bug is rated as a critical security risk.
Another bug, CVE-2021-22156, is listed as a critical vulnerability for BlackBerry QNX products, though Cisco said that the QNX instances in its routing and switching gear could not be exploited.
Customers running F5 gear with the Big-IP and Big-IQ platforms will want to update their gear after the release of an advisory from the vendor detailing 29 different security flaws in various versions of both offerings. None of the CVE-listed flaws is considered to be a critical security risk, but 13 of the 29 are listed as high risk, including one (CVE-2021-23025) that would potentially allow for remote code execution.
For VMware, this week's security update addressed a total of six CVE-listed vulnerabilities. The affected products are Cloud Foundation, vRealize Operations Manager (prior to version 8.5) and vRealize Suite Lifecycle Manager.
The worst of the VMware flaws is CVE-2021-22025, a broken access control vulnerability in the vRealize Operations Manager (vROps) API. An attacker with network access could be able to add new nodes to a vROps cluster. Those rogue nodes could then potentially manage other nodes within the virtual network.
Also worth noting are CVE-2021-22026 and CVE-2021-22027, a pair of server-side request forgeries in vRealize Operations Manager that would potentially allow for information disclosure.
Moving over to OpenSSL, the security advisory addresses a pair of bugs that impact various builds. CVE-2021-3711 is a decryption buffer overflow that could cause a malicious application to gain memory access, while CVE-2021-3712 is a read buffer overrun that could trigger a crash or potentially give access to memory contents.
In both cases, updating to OpenSSL 1.1.11 will patch the problem.