March 29, 2023

VMware has disclosed a critical bug in vSphere and vCenter products and urged users to drop everything and patch it and provides a workaround.

Totally 19 bugs disclosed. The worst of the bunch is CVE-2021-22005.The flaw is rated 9.8/10 in severity using the CVSS.

A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.

VMware advisory

The company has all but admitted users should assume that disclosure of the issue means ransomware attacks and other infections are nigh on inevitable if users don’t address it ASAP. Workarounds also tend to be more challenging for vSphere Admins who do not have deep UNIX experience. Just using UNIX text editors can be a challenge.

The first is to check your version number, because vCenter Server 7.0 U2d, 6.7U30, and 6.5 U3q are already fixed. Cloud Foundation versions 4.3.1 and also don’t need urgent remediation.But vSphere 6.5, Cloud Foundation 3.x and 4.x, vCenter Server 6.7 and 7.0, all need patches.

The company has also urged users to look beyond CVE-2021-22005, because the 18 other flaws it has disclosed need their own responses.

CVE-2021-22015 allows local privilege escalation due to improper permissions of files and directories. CVE-2021-22011 concerns an unauthenticated API endpoint vulnerability in vCenter Server Content Library. CVE-2021-22017 relates to improper implementation of URI normalization and means internal endpoints could be accessed. Even the least severe of the flaws 4.3-rated CVE-2021-21993 can lead to information leaks.

Leave a Reply

%d bloggers like this: