This critical alert is to inform you of two new vulnerabilities identified in VMware vSphere 6.5, 6.7 and 7.0. The vulnerabilities include VMware Cloud Foundation 3.x/4.x environments. This is covered by VMSA-2021-0010.
Further information is available in a Blog post and FAQ (Links below – Please visit these sites)
VMware engineering identified multiple security vulnerabilities that affect vCenter Server and ESXi.
- CVE-2021-21985– VMware vCenter Server updates address remote code execution vulnerability in the vSphere Client
The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check Plugin which is enabled by default in vCenter Server.
- CVE-2021-21986 – Authentication bypass vulnerability in vCenter Server Plugins
The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins.
VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.
What should you do next ?
- Please urgently review the below articles detailing the vulnerability.
· Official Security Advisory — VMware Security Advisory
· Public FAQ — VMSA-2021-0010 Questions & Answers (FAQ)
· Workaround KB — KB detailing workarounds
· Communities Thread — VMware Communities Forum Thread on VMSA-2021-0010
· VMware Blog ( Important Tips for Patching/ Additional Mitigation info) — VMSA-2021-0010: What You Need to Know
- If your environment is running the affected versions, VMware recommends that you must update to the recommended Fixed Version that corresponds to the VMSA Response Matrix.
- Alternatively, if you are unable to patch immediately, you may evaluate the applicable workarounds and implement them as documented in the KB above.
- If you have any questions or concerns, let VMware Support or Premier Support Contact know by raising a SR specifying your query.