Tanzania Computer Emergency Response Team
Advisory No: TZCERT/SA/2021/05/27
Date of First Release: 27th May 2021
Source: VMware
Software Affected:
- VMware vCenter Server (vCenter Server)
- VMware Cloud Foundation (Cloud Foundation)
Overview:
Multiple vulnerabilities exist in vSphere Client (HTML5) that could cause remote code execution (CVE-2021-21985) and perform actions allowed by Virtual SAN Health Check plug-in without authentication (CVE-2021-21986).
Description:
The vSphere Client (HTML5) contains a remote code execution (CVE-2021-21985) vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in enabled in the vCenter server by default.
Similarly, the client contains another authentication vulnerability (CVE-2021-21986) for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins that could allow an attacker to bypass authentication and perform actions supported by the plug-ins.
Impact:
Successful exploitation of these vulnerabilities could lead to remote code execution and authentication bypass on the affected system.
Solution:
VMware has issued both security updates to address the affected products. Users and administrators are advised to apply necessary updates (Vcenter server (7.0 U2b, 6.7 U3n, 6.5 U3p), Cloud Foundation ( 4.2.1 and .10.2.1)) on affected products.
References:
- https://kb.vmware.com/s/article/83829
- https://www.vmware.com/security/advisories/VMSA-2021-0010.html