I wanted to make sure that you were aware of the CRITICAL vCenter Server Security Advisory that was just released yesterday (21/09/2021).
VMware vCenter Server updates address several CVE’s across all 3 supported versions of vCenter Server (6.5/6.7/7.0) with a maximum CVSSv3 base score of 9.8.
Known Attack Vectors
A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.
Product Releases (to address advisory)
- vCenter Server 7.0 U2d (build 18455184) – [Download] [Release Notes]
- vCenter Server 6.7 U3o (build 18485166) – [Download] [Release Notes]
- vCenter Server 6.5 U3q (build 18499837) – [Download] [Release Notes]
Workaround is available only for Critical Vulnerability “CVE-2021-22005 — vCenter Server file upload” and detailed in VMware KB85717. No other workaround will be documented for any of the other 18 CVEs.
Things to consider:
- VCSA 6.7 and 7.0 are impacted by Critical Vulnerability “CVE-2021-22005 — vCenter Server file upload”
- VCSA 7.0 U2c released on August 24, 2021 is not vulnerable to “CVE-2021-22005 — vCenter Server file upload”
- Workaround applies only to Critical Vulnerability “CVE-2021-22005” and is available as a temporary preventive measure
- There is NO impact as a result of implementing the workaround
- Apply Workaround detailed in VMware KB85717 , if patching is not possible. Workaround includes both a script (to automate the manual steps) and manual steps for updating the “/etc/vmware-analytics/ph-web.xml” file
- Upgrade path from 6.7 U3o to 7.0 U2d is supported
- Upgrade path from 6.5 U3q to 7.0 U2d is supported
- For VCSA 7.0 – Please upgrade to 7.0 U2d as soon as possible. Patch includes all fixes and will revert the workaround documented in VMware KB 85717.
- For VCSA 6.7 – Please upgrade to 6.7 U3o as soon as possible. Patch includes all fixes and will revert the workaround documented in VMware KB 85717.
- For VCSA 6.5 – Please upgrade to 6.5 U3q to mitigate several IMPORTANT vulnerabilities as soon as possible.
- Back-in-time upgrade scenarios KB67077 (vSphere Back-in-time release upgrade restriction)
- VMSA-2021-0020 FAQs