Note: The hotfixes previously mentioned in this advisory were found to only have partially resolved CVE-2021-21975 leaving a residual risk of moderate severity (CVSS = 4.3). Hotfixes created to resolve the vulnerabilities documented in
VMSA-2021-0018 also include complete fixes for CVE-2021-21975.
Workaround:
If the patch cannot be installed, or there is no patch for your version of vRealize Operations, the following steps can be taken to workaround the issue.
There is no impact to vRealize Operations when applying this workaround.
To work around this issue in vRealize Operations, remove a configuration line from
casa-security-context.xml.
- Log into the Primary node as root via SSH or Console, pressing ALT+F1 in a Console to log in.
- Open /usr/lib/vmware-casa/casa-webapp/webapps/casa/WEB-INF/classes/spring/casa-security-context.xml in a text editor.
- Find and remove the line that reads:
<sec:http pattern="/nodes/thumbprints" security='none'/>
- Save and close the file.
- Restart the CaSA service:
service vmware-casa restart
- Repeat steps 1-5 on all other nodes in the vRealize Operations cluster.