Critical Vulnerability Affecting VMware vCenter Servers

VMware has released an urgent security update addressing a critical remote code execution (RCE) vulnerability in the Virtual SAN Health Check plug-in affecting ALL vCenter Server deployments.

In addition, the company patched a medium severity vulnerability affecting Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins.

The Vulnerabilities

  • CVE-2021-21985 CVSSv3 score 9.8
    The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.

* This vulnerability is critical and should be remediated immediately 

 

  • CVE-2021-21986 CVSSv3 score 6.5
    The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins.

Affected Systems

  • VMware vCenter Server (vCenter Server)
  • VMware Cloud Foundation (Cloud Foundation)

Remediation

CYREBRO urges all clients using VMware vCenter and Cloud Foundation to update immediately to the fixed versions mentioned in the table below.

Workarounds are also available.

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
vCenter Server 7.0 Any CVE-2021-21985

9.8

Critical

7.0 U2b KB83829 FAQ
vCenter Server 6.7 Any CVE-2021-21985 9.8 Critical 6.7 U3n KB83829 FAQ
vCenter Server 6.5 Any CVE-2021-21985 9.8 Critical 6.5 U3p KB83829 FAQ
Cloud Foundation (vCenter Server) 4.x Any CVE-2021-21985 9.8 Critical 4.2.1 KB83829 FAQ
Cloud Foundation (vCenter Server) 3.x Any CVE-2021-21985 9.8 Critical 3.10.2.1 KB83829 FAQ
vCenter Server 7.0 Any CVE-2021-21986 6.5

Moderate

7.0 U2b KB83829 FAQ
vCenter Server 6.7 Any CVE-2021-21986 6.5

Moderate

6.7 U3n KB83829 FAQ
vCenter Server 6.5 Any CVE-2021-21986 6.5

Moderate

6.5 U3p KB83829 FAQ
Cloud Foundation (vCenter Server) 4.x Any CVE-2021-21986 6.5

Moderate

4.2.1 KB83829 FAQ
Cloud Foundation (vCenter Server) 3.x Any CVE-2021-21986 6.5

Moderate

3.10.2.1 KB83829 FAQ

Sign Up for Updates