This critical alert is to inform you of two new vulnerabilities identified in VMware vSphere 6.5, 6.7 and 7.0. The vulnerabilities include VMware Cloud Foundation 3.x/4.x environments. This is covered by VMSA-2021-0010.
Further information is available in a Blog post and FAQ (Links below – Please visit these sites)
VMware engineering identified multiple security vulnerabilities that affect vCenter Server and ESXi.
- CVE-2021-21985– VMware vCenter Server updates address remote code execution vulnerability in the vSphere Client
The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check Plugin which is enabled by default in vCenter Server.
VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
- CVE-2021-21986 – Authentication bypass vulnerability in vCenter Server Plugins
The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins.
VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.
What should you do next ?
- Please urgently review the below articles detailing the vulnerability.
Resources:
· Official Security Advisory — VMware Security Advisory
· Public FAQ — VMSA-2021-0010 Questions & Answers (FAQ)
· Workaround KB — KB detailing workarounds
· Communities Thread — VMware Communities Forum Thread on VMSA-2021-0010
· VMware Blog ( Important Tips for Patching/ Additional Mitigation info) — VMSA-2021-0010: What You Need to Know
- If your environment is running the affected versions, VMware recommends that you must update to the recommended Fixed Version that corresponds to the VMSA Response Matrix.
- Alternatively, if you are unable to patch immediately, you may evaluate the applicable workarounds and implement them as documented in the KB above.
- If you have any questions or concerns, let VMware Support or Premier Support Contact know by raising a SR specifying your query.