I thought it would be good to share this here, although this is already covered on many news sites.
Yesterday VMware did publish a Security Advisory regarding multiple vulnerabilities in vCenter Server. The most critical one "CVE-2021-22005” did receive a CVSSv3 score of 9.8 (of 10) and an attacker could take over the control just be uploading a file via port 443. Although vCenter shouldn’t be reachable from the WAN/internet, the vulnerabilities should still be seen as very critical; an inside attacker could already be waiting.
All together there were 19 CVEs published and fixed by VMware. All currently supported vCenter Server releases are more or less affected:
- vCenter 7:
- <7.0 U2c: affected by all vulnerabilities → Patch to 7.0 U2d
- 7.0 U2c: “only affected” by the minor vulnerabilities → Patch to 7.0 U2d
- vCenter 6.7:
- all 6.7 releases are affected → patch to 6.7 U3o
- vCenter 6.5:
- “only affected” by the minor vulnerabilities → Patch to 6.5 U3q
→ the minior vulnerabilities are still critical and patching is recommended!
I’ve only written about vCenter Server, but VMware Cloud Foundation is also impacted by these vulnerabilities. There may be additional steps necessary besides patching, so check the Advisory below.
For more informations visit the VMware Security Advisory VMSA-2021-0020: https://www.vmware.com/security/advisories/VMSA-2021-0020.html
In addition there’s also a FAQ: https://core.vmware.com/vmsa-2021-0020-questions-answers-faq
If you want to get any future advisories from VMware, you can subscribe to them via RSS or email. Just visit the VMware Security Advisories page and check the upper right corner.