VMware has rolled out patches to handle a crucial safety vulnerability in vCenter Server that might be leveraged by an adversary to execute arbitrary code on the server.
Tracked as CVE-2021-21985 (CVSS rating 9.8), the problem stems from an absence of enter validation within the Digital SAN () Well being Verify plug-in, which is enabled by default within the vCenter Server. “A malicious actor with community entry to port 443 could exploit this concern to execute instructions with unrestricted privileges on the underlying working system that hosts vCenter Server,” VMware in its advisory.
VMware vCenter Server is a server administration utility that is used to manage digital machines, ESXi hosts, and different dependent parts from a single centralized location. The flaw impacts vCenter Server variations 6.5, 6.7, and seven.0 and Cloud Basis variations 3.x and 4.x. VMware credited Ricter Z of 360 Noah Lab for reporting the vulnerability.
The patch launch additionally rectifies an authentication concern within the vSphere Shopper that impacts Digital SAN Well being Verify, Web site Restoration, vSphere Lifecycle Supervisor, and VMware Cloud Director Availability plug-ins (CVE-2021-21986, CVSS rating: 6.5), thereby permitting an attacker to hold out actions permitted by the plug-ins with none authentication.
Whereas VMware is strongly recommending prospects to use the “,” the corporate has printed a to set the plug-ins as incompatible. “Disablement of those plug-ins will lead to a lack of administration and monitoring capabilities supplied by the plug-ins,” the corporate famous.
“Organizations who’ve positioned their vCenter Servers on networks which can be immediately accessible from the Web […] ought to audit their methods for compromise,” VMware. “They need to additionally take steps to implement extra perimeter safety controls (firewalls, ACLs, and many others.) on the administration interfaces of their infrastructure.”
CVE-2021-21985 is the second crucial vulnerability that VMware has rectified within the vCenter Server. Earlier this February, it resolved a distant code execution vulnerability in a vCenter Server plug-in () that might be abused to run instructions with unrestricted privileges on the underlying working system internet hosting the server.
The fixes for the vCenter flaws additionally come after the corporate patched one other crucial distant code execution bug in VMware vRealize Enterprise for Cloud (, CVSS rating: 9.8) as a result of an unauthorized endpoint that might be exploited by a malicious actor with community entry to run arbitrary code on the equipment.
Beforehand, VMware had rolled out updates toin VMware Carbon Black Cloud Workload and vRealize Operations Supervisor options.