Security Advisory VMSA-2021-0020

I wanted to make sure that you were aware of the CRITICAL  vCenter Server Security Advisory that was just released yesterday (21/09/2021).

  

Security Advisory

VMSA-2021-0020 

VMware vCenter Server updates address several CVE’s across all 3 supported versions of vCenter Server (6.5/6.7/7.0) with a maximum CVSSv3 base score of 9.8.

Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.

Product Releases (to address advisory)

Workaround

Workaround is available only for Critical Vulnerability “CVE-2021-22005 — vCenter Server file upload” and detailed in VMware KB85717.  No other workaround will be documented for any of the other 18 CVEs.

Things to consider:

  • VCSA 6.7 and 7.0 are impacted by Critical Vulnerability “CVE-2021-22005 — vCenter Server file upload”
  • VCSA 7.0 U2c released on August 24, 2021 is not vulnerable to “CVE-2021-22005 — vCenter Server file upload”
  • Workaround applies only to Critical Vulnerability “CVE-2021-22005” and is available as a temporary preventive measure
  • There is NO impact as a result of implementing the workaround
  • Apply Workaround detailed in VMware KB85717 , if patching is not possible.  Workaround includes both a script (to automate the manual steps) and manual steps for updating the “/etc/vmware-analytics/ph-web.xml” file
  • Upgrade path from 6.7 U3o to 7.0 U2d is supported
  • Upgrade path from 6.5 U3q to 7.0 U2d is supported
  • For VCSA 7.0 – Please upgrade to 7.0 U2d as soon as possible.  Patch includes all fixes and will revert the workaround documented in VMware KB 85717.
  • For VCSA 6.7 – Please upgrade to 6.7 U3o as soon as possible.  Patch includes all fixes and will revert the workaround documented in VMware KB 85717.
  • For VCSA 6.5 – Please upgrade to 6.5 U3q to mitigate several IMPORTANT vulnerabilities as soon as possible.
  • Back-in-time upgrade scenarios KB67077 (vSphere Back-in-time release upgrade restriction)
  • VMSA-2021-0020 FAQs
Please leave the comment