May 26, 2021

VMware has released an urgent security update addressing a critical remote code execution (RCE) vulnerability in the Virtual SAN Health Check plug-in affecting ALL vCenter Server deployments.

In addition, the company patched a medium severity vulnerability affecting Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins.

The Vulnerabilities

• CVE-2021-21985 CVSSv3 score 9.8
  The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.

* This vulnerability is critical and should be remediated immediately 

• CVE-2021-21986 CVSSv3 score 6.5
  The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins.

Affected Systems

• VMware vCenter Server (vCenter Server)
• VMware Cloud Foundation (Cloud Foundation)

Remediation

CYREBRO urges all clients using VMware vCenter and Cloud Foundation to update immediately to the fixed versions mentioned in the table below.

Workarounds are also available.