VMSA-2021-0010 updates for vCenter Server addresses two security vulnerabilities (CVE-2021-21985, CVE-2021-21986)

Today, VMware released an update that addresses two vulnerabilities in its vCenter Server and Cloud Foundation products::

  • A remote code execution vulnerability in the vSphere Client  (CVE-2021-21985)
  • Authentication mechanism issue in vCenter Server Plug-ins (CVE-2021-21986)

About the vulnerabilities

remote code execution vulnerability in the vSphere Client (CVE-2021-21985)

The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

Authentication mechanism issue in vCenter Server Plug-ins (CVE-2021-21986)

The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.

A malicious actor with network access to port 443 on vCenter Server may perform actions allowed by the impacted plug-ins without authentication.

How to fix the situation

VMware has released new versions of its vCenter Server and Cloud Foundation products. These versions address the vulnerabilities:

  1. vCenter Server 7.0 U2b
  2. vCenter Server 6.7 U3n
  3. vCenter Server 6.5 U3p
  4. Cloud Foundation (vCenter Server) 4.2.1
  5. Cloud Foundation (vCenter Server) 3.10.2.1

Alternatively, VMware KnowledgeBase article 83829 provides a workaround for admins who can’t install the updates just yet. They can remediate the solution by disabling VMware Plugins in vCenter Server.

Concluding

Please install the updates for the version(s) of ESXi, vCenter Server and/or Cloud Foundation in use within your organization, as mentioned above and in the advisory for VMSA-2021-0010.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.