VMware has released security updates for vCenter Server after fixing arbitrary file read and SSRF vulnerabilities in the vSphere Web Client (FLEX/Flash).
It’s recommended that enterprises running vulnerable instances of the server management platform have been advised to apply relevant updates. Both flaws were designated as ‘important’ in terms of severity.
With a CVSS rating of 7.5, the most severe is the arbitrary file read bug (CVE-2021-21980), abuse of which could potentially enable a malicious actor to gain access to sensitive information.
The SSRF vulnerability (CVE-2021-22049), which has a CVSS of 6.5, was more specifically found in the vSAN Web Client plugin. An attacker could exploit this flaw by accessing an internal service or URL request outside of vCenter Server.
VMware has released security updates that address both flaws for vCenter Server versions 6.5 and 6.7. Patches for both bugs are pending for Cloud Foundation’s 3.x release line, while 4.x is unaffected.
VMware thanked ‘ch0wn’ of Orz lab for reporting the arbitrary file read issue and ‘magiczero’ from the QI-ANXIN Group for reporting the SSRF.