• Insights

Urgent VMware Alert: Impact to vCenter and ESXi Versions

Jeff Silverman

2 min read

All Insights

Recently VMware has reported vulnerabilities in VMware ESXi and vSphere Client (HTML5). Updates are available to remediate these vulnerabilities in affected VMware products:  VMware ESXi, VMware vCenter Server (vCenter Server), VMware Cloud Foundation (Cloud Foundation)

3a. VMware vCenter Server updates address remote code execution vulnerability in the vSphere Client (CVE-2021-21972)

  • Description – The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
  • Resolution – To remediate CVE-2021-21972 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
  • Notes – The affected vCenter Server plugin for vROPs is available in all default installations. vROPs does not need be present to have this endpoint available. Follow the workarounds KB to disable it.

Impacted Product Suites that Deploy Response Matrix 3a Components:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Cloud Foundation (vCenter Server) 4.x Any CVE-2021-21972 9.8 Critical 4.2 KB82374 None
Cloud Foundation (vCenter Server) 3.x Any CVE-2021-21972 9.8 Critical 3.10.1.2 KB82374 None

 

3b. ESXi OpenSLP heap-overflow vulnerability (CVE-2021-21974)

  • Description – OpenSLP as used in ESXi has a heap-overflow vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.
  • Resolution – To remediate CVE-2021-21974 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
  • Notes – [1] Per the Security Configuration Guides for VMware vSphere, VMware now recommends disabling the OpenSLP service in ESXi if it is not used. For more information, see their posting: https://blogs.vmware.com/vsphere/2021/02/evolving-the-vmware-vsphere-security-configuration-guides.html [2] KB82705 documents steps to consume ESXi hot patch asynchronously on top of latest VMware Cloud Foundation (VCF) supported ESXi build.

Impacted Product Suites that Deploy Response Matrix 3b Components:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
[1] Cloud Foundation (ESXi) 4.x Any CVE-2021-21974 8.8 Important 4.2 KB76372 None
[1] Cloud Foundation (ESXi) 3.x Any CVE-2021-21974 8.8 Important [2] KB82705 KB76372 None

 

3c. VMware vCenter Server updates address SSRF vulnerability in the vSphere Client (CVE-2021-21973)

  • Description – The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.
  • Resolution – To remediate CVE-2021-21973 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
  • Notes – The affected vCenter Server plugin for vROPs is available in all default installations. vROPs does not need be present to have this endpoint available. Follow the workarounds KB to disable it.

Impacted Product Suites that Deploy Response Matrix 3c Components:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Cloud Foundation (vCenter Server) 4.x Any CVE-2021-21973 5.3 Moderate 4.2 KB82374 None
Cloud Foundation (vCenter Server) 3.x Any CVE-2021-21973 5.3 Moderate 3.10.1.2 KB82374 None

More Information found here: https://www.vmware.com/security/advisories/VMSA-2021-0002.html

If Kraft Kennedy can be helpful, please reach out.