VMware Releases Security Update for vCenter Server and Cloud Foundation

Security update for vCenter Server and Cloud Foundation

Threat ID:: CC-3982
Threat Severity:: Information only
Published:: 24 November 2021 2:04 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Security update for vCenter Server and Cloud Foundation

Affected platforms

The following platforms are known to be affected:

Versions: 6.5, 6.7

VMware vCenter Server

Versions: 3.x

VMware Cloud Foundation

Threat details

Introduction

VMware has released important security updates to address two vulnerabilities in the vSphere Web Client (FLEX/Flash) portion of vCenter Server. CVE-2021-21980 is an arbitrary file read vulnerability in the vSphere Web Client and CVE-2021-22049 contains an SSRF (Server Side Request Forgery) vulnerability in the vSAN Web Client (vSAN UI) plug-in. An attacker with access to port 443 on vCenter Server could gain access to sensitive information or take control of a system.

The vCenter Server 7.x and Cloud Foundation 4.x release lines are not affected by these vulnerabilities as they do not use the vCenter Server vSphere Web Client (FLEX/Flash).

Remediation advice

Affected organisations are encouraged to review VMware Security Advisory VMSA-2021-0027 and apply any relevant updates.

Definitive source of threat updates

https://www.vmware.com/security/advisories/VMSA-2021-0027.html

CVE Vulnerabilities

Status Reserved

CVE-2021-21980

Status Reserved

CVE-2021-22049

Last edited: 24 November 2021 2:04 pm