In response to VMware published details of two newly disclosed vulnerabilities in VMware vRealize Operations, expert commented below.

In response to VMware published details of two newly disclosed vulnerabilities in VMware vRealize Operations, expert commented below.
2020 Cybersecurity Landscape: 100+ Experts’ Predictions
Cyber Security Predictions 2021: Experts’ Responses
Experts’ Responses: Cyber Security Predictions 2023
Celebrating Data Privacy Day – 28th January 2023
Data Privacy Protection Day (Thursday 28th) – Experts Comments
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p style=\"font-weight: 400;\">Researchers have disclosed a pair of vulnerabilities in VMware’s vRealize Operations (vROPs). The most severe flaw, CVE-2021-21975, is a server-side request forgery (SSRF) vulnerability in the vROPs Manager API. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable vROPs Manager API endpoint. Successful exploitation would result in the attacker obtaining administrative credentials. </p> <p> </p> <p style=\"font-weight: 400;\">VMware also patched CVE-2021-21983, an arbitrary file write vulnerability in the VROPs Manager API, which can be used to write files to the underlying operating system. This vulnerability is post-authentication, meaning an attacker needs to be authenticated with administrative credentials in order to exploit this flaw.</p> <p> </p> <p style=\"font-weight: 400;\">While on their own, these vulnerabilities may not seem as severe as <a href=\"https://www.tenable.com/blog/cve-2021-21972-vmware-vcenter-server-remote-code-execution-vulnerability\" data-saferedirecturl=\"https://www.google.com/url?q=https://www.tenable.com/blog/cve-2021-21972-vmware-vcenter-server-remote-code-execution-vulnerability&source=gmail&ust=1617278049106000&usg=AFQjCNGFH0USkTQqnvGnK0_MT-Tt42SuGw\">CVE-2021-21972</a>, a remote code execution vulnerability in VMware’s vCenter Server that was patched in February. However, if attackers chain both CVE-2021-21975 and CVE-2021-21983 together, they could also gain remote code execution privileges.</p> <p> </p> <p style=\"font-weight: 400;\">VMware has provided patches for both flaws across vROPs Manager versions 7.5.0 through 8.3.0. They’ve also provided a temporary workaround to prevent attackers from exploiting these flaws. The workaround should only be used as a temporary stop-gap until organizations are able to plan for applying the patches.</p>