VMware ESXi and vCenter Server updates address multiple security vulnerabilities.
A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
- A remote code execution vulnerability in the vSphere Client (CVE-2021-21972)
- An SSRF vulnerability in the vSphere Client (CVE-2021-21973)
- An ESXi OpenSLP heap-overflow vulnerability (CVE-2021-21974)
The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
Impacted Products
- VMware ESXi
- VMware vCenter Server (vCenter Server)
- VMware Cloud Foundation (Cloud Foundation)
Recommended Solution
Upgrade to VMware vCenter Server 6.5 U3n, 6.7 U3l, 7.0 U1c or later or apply the workaround mentioned in the advisory.
- VMware Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0002.html
- Tenable Summary: https://www.tenable.com/plugins/nessus/146826
If you have any questions regarding this vulnerability, please contact us.