Satnam Narang, staff research engineer with security shop Tenable, said: "On their own, these vulnerabilities may not seem as severe as CVE-2021-21972, a remote code execution vulnerability in VMware's vCenter Server that was patched in February.
"However, if attackers chain both CVE-2021-21975 and CVE-2021-21983 together, they could also gain remote code execution privileges."
The two vulnerabilities were discovered by Egor Dimitrenko of Positive Technologies. They affect VMware vRealize Operations, VMware Cloud Foundation and vRealize Suite Lifecycle Manager.
The second issue was an arbitrary file write vulnerability in the vRealize Operations Manager API. In this case, a malicious attacker who had been authenticated with network access to the API could write files to arbitrary locations on the underlying photon operating system. This was give a maximum CVSSv3 base score of 7.2.
Both vulnerabilities were rated as important and the company listed workarounds as well.
Narang said the more severe flaw was CVE-2021-21975, the server-side request forgery vulnerability in the vROPs Manager API.
"An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable vROPs Manager API endpoint," he explained.
"Successful exploitation would result in the attacker obtaining administrative credentials."
Narang said VMware had also patched an arbitrary file write vulnerability [CVE-2021-21983] in the VROPs Manager API, which could be used to write files to the underlying operating system.
"This vulnerability is post-authentication, meaning an attacker needs to be authenticated with administrative credentials in order to exploit this flaw," he pointed out.
Narang said while VMware had provided workarounds, but these should only be used as a temporary measure until one was able to work out a plan for applying the patches.