Earlier this week, VMware released an update that addresses an arbitrary file read vulnerability in the vSphere Web Client (CVE-2021-21980) and an SSRF vulnerability in the vSphere Web Client (CVE-2021-22049). These two vulnerabilities can be used to compromise virtual Domain Controllers running on VMware vSphere ESXi 6.5 and vSphere ESXi 6.7.
About the vulnerabilities
arbitrary file read vulnerability in the vSphere Web Client (CVE-2021-21980)
The first vulnerability is an unauthorized arbitrary file read vulnerability in the vSphere Web Client.
Note:
vCenter Server vSphere Web Client (FLEX/Flash) is not available in vCenter Server 7.x, therefore vCenter Server 7.x is not affected.
This is an important update with a maximum CVSSv3 base score of 7.5. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information.
The vulnerability was responsibly disclosed to VMware by ch0wn of Orz lab.
vulnerability in the vSphere Web Client (CVE-2021-22049)
The second vulnerability is a Server Side Request Forgery (SSRF) vulnerability in the vSAN Web Client (vSAN UI) plug-in in the vSphere Web Client.
Note:
vCenter Server vSphere Web Client (FLEX/Flash) is not available in vCenter Server 7.x, therefore vCenter Server 7.x is not affected.
This is an important update with a maximum CVSSv3 base score of 6.5. A malicious actor with network access to port 443 on vCenter Server may exploit this vulnerability by accessing a URL request outside of vCenter Server or accessing an internal service.
The vulnerability was responsibly disclosed to VMware by magiczero from SGLAB of Legendsec at Qi'anxin Group.
How to address these vulnerabilities
VMware has released new versions of its vCenter Server 6.5 and vCenter Server 6.7 products. These versions address the vulnerabilities:
Concluding
Please install the updates for the version(s) of vCenter Server in use within your organization, as mentioned above and in the advisory for VMSA-2021-0027.
Login