Today, VMware released an update that addresses nineteen vulnerabilities in vCenter Server. These two vulnerabilities can be used to compromise vCenter Server installations and the ESXi host they manage.

Note:
The vulnerabilities exist in VMware Cloud Foundation, too.

About vCenter Server

VMware vCenter Server, formerly known as VirtualCenter, is the centralized management tool for the vSphere suite. vCenter Server allows for the management of multiple ESXi hosts and virtual machines (VMs) from different ESXi hosts through a single console or web application.

About the vulnerabilities

The following vCenter Server vulnerabilities are addressed today:

• CVE-2021-21991 Local privilege escalation vulnerability
• CVE-2021-21992 XLM parsing Denial of Service vulnerability
• CVE-2021-21993 SSRF vulnerability
• CVE-2021-22005 File upload vulnerability Critical
• CVE-2021-22006 Reverse proxy bypass vulnerability
• CVE-2021-22007 Local information disclosure vulnerability
• CVE-2021-22008 Information disclosure vulnerability
• CVE-2021-22009 VAPI multiple denial of service vulnerabilities
• CVE-2021-22010 VPXD denial of service vulnerability
• CVE-2021-22011 Unauthenticated API endpoint vulnerability
• CVE-2021-22012 Unauthenticated API information disclosure vulnerability
• CVE-2021-22013 File path traversal vulnerability
• CVE-2021-22014 Authenticated code execution vulnerability
• CVE-2021-22015 Improper permission local privilege escalation vulnerabilities
• CVE-2021-22016 Reflected XSS vulnerability
• CVE-2021-22017 rhttpproxy Bypass vulnerability
• CVE-2021-22018 File deletion vulnerability
• CVE-2021-22019 Denial of Service vulnerability
• CVE-2021-22020 Analytics service denial of service vulnerability

About the fix

VMware addressed the vulnerabilities in the following versions:

• For vCenter Server 7.0, version 7.0 Update 2d and up is no longer vulnerable.
• For vCenter Server 6.7, version 6.7 Update 3o and up is no longer vulnerable.
• For vCenter Server 6.5, version 6.5 Update 3q and up is no longer vulnerable.

Concluding

Please install the updates for the version(s) of vCenter Server in use within your organization, as mentioned above and in the advisory for VMSA-2021-0020.

Further reading

VMware updated the patch for CVE-2020-3992 to completely address the Remote Code Execution Vulnerability (Critical, CVSSv3 9.8)
Two vulnerabilities in VMware ESXi may lead to virtual Domain Controller compromise (Critical, VMSA-2020-0026, CVE-2020-4004, CVE-2020-4005)
VMSA-2021-0014 updates for VMware ESXi and vCenter address two security vulnerabilities (CVE-2021-21994, CVE-2021-21995)