Recently VMware has reported vulnerabilities in VMware ESXi and vSphere Client (HTML5). Updates are available to remediate these vulnerabilities in affected VMware products: VMware ESXi, VMware vCenter Server (vCenter Server), VMware Cloud Foundation (Cloud Foundation)
3a. VMware vCenter Server updates address remote code execution vulnerability in the vSphere Client (CVE-2021-21972)
- Description – The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
- Resolution – To remediate CVE-2021-21972 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
- Notes – The affected vCenter Server plugin for vROPs is available in all default installations. vROPs does not need be present to have this endpoint available. Follow the workarounds KB to disable it.
Impacted Product Suites that Deploy Response Matrix 3a Components:
Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
Cloud Foundation (vCenter Server) | 4.x | Any | CVE-2021-21972 | 9.8 | Critical | 4.2 | KB82374 | None |
Cloud Foundation (vCenter Server) | 3.x | Any | CVE-2021-21972 | 9.8 | Critical | 3.10.1.2 | KB82374 | None |
3b. ESXi OpenSLP heap-overflow vulnerability (CVE-2021-21974)
- Description – OpenSLP as used in ESXi has a heap-overflow vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.
- Resolution – To remediate CVE-2021-21974 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
- Notes – [1] Per the Security Configuration Guides for VMware vSphere, VMware now recommends disabling the OpenSLP service in ESXi if it is not used. For more information, see their posting: https://blogs.vmware.com/vsphere/2021/02/evolving-the-vmware-vsphere-security-configuration-guides.html [2] KB82705 documents steps to consume ESXi hot patch asynchronously on top of latest VMware Cloud Foundation (VCF) supported ESXi build.
Impacted Product Suites that Deploy Response Matrix 3b Components:
Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation | |
[1] Cloud Foundation (ESXi) | 4.x | Any | CVE-2021-21974 | 8.8 | Important | 4.2 | KB76372 | None | |
[1] Cloud Foundation (ESXi) | 3.x | Any | CVE-2021-21974 | 8.8 | Important | [2] KB82705 | KB76372 | None |
3c. VMware vCenter Server updates address SSRF vulnerability in the vSphere Client (CVE-2021-21973)
- Description – The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.
- Resolution – To remediate CVE-2021-21973 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
- Notes – The affected vCenter Server plugin for vROPs is available in all default installations. vROPs does not need be present to have this endpoint available. Follow the workarounds KB to disable it.
Impacted Product Suites that Deploy Response Matrix 3c Components:
Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
Cloud Foundation (vCenter Server) | 4.x | Any | CVE-2021-21973 | 5.3 | Moderate | 4.2 | KB82374 | None |
Cloud Foundation (vCenter Server) | 3.x | Any | CVE-2021-21973 | 5.3 | Moderate | 3.10.1.2 | KB82374 | None |
More Information found here: https://www.vmware.com/security/advisories/VMSA-2021-0002.html
If Kraft Kennedy can be helpful, please reach out.