Important

VMSA-2021-0027
6.5-7.5
2021-11-23
2021-11-23 (Initial Advisory)
CVE-2021-21980, CVE-2021-22049
VMware vCenter Server updates address arbitrary file read and SSRF vulnerabilities (CVE-2021-21980, CVE-2021-22049)

Share this page on social media

Sign up for Security Advisories

1. Impacted Products
  • VMware vCenter Server (vCenter Server)
  • VMware Cloud Foundation (Cloud Foundation)
2. Introduction

Multiple vulnerabilities in VMware vCenter Server were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

3a. vCenter Server updates address arbitrary file read vulnerability in the vSphere Web Client (CVE-2021-21980)

Description

The vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file read vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information.

Resolution

To remediate CVE-2021-21980 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.

Workarounds

None.

Additional Documentation

None.

Notes

vCenter Server vSphere Web Client (FLEX/Flash) is not available in vCenter Server 7.x, therefore this issue is not applicable to vCenter Server 7.x release line.

Acknowledgements

VMware would like to thank ch0wn of Orz lab for reporting this issue to us.

Response Matrix:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
vCenter Server
7.0
Any
CVE-2021-21980
N/A
N/A
Unaffected
N/A
N/A
vCenter Server
6.7
Any
CVE-2021-21980
important
None
None
vCenter Server
6.5
Any
CVE-2021-21980
important
None
None

Impacted Product Suites that Deploy Response Matrix 3a Components:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Cloud Foundation (vCenter Server)
4.x
Any
CVE-2021-21980
N/A
N/A
Unaffected
N/A
N/A
Cloud Foundation (vCenter Server)
3.x
Any
CVE-2021-21980
important
Patch Pending
None
None
3b. vCenter Server updates address SSRF vulnerability in the vSphere Web Client (CVE-2021-22049)

Description

The vSphere Web Client (FLEX/Flash) contains an SSRF (Server Side Request Forgery) vulnerability in the vSAN Web Client (vSAN UI) plug-in. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.

Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may exploit this issue by accessing a URL request outside of vCenter Server or accessing an internal service.

Resolution

To remediate CVE-2021-22049 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.

Workarounds

None.

Additional Documentation

None.

Notes

vCenter Server vSphere Web Client (FLEX/Flash) is not available in vCenter Server 7.x, therefore this issue is not applicable to vCenter Server 7.x release line.

Acknowledgements

VMware would like to thank magiczero from SGLAB of Legendsec at Qi'anxin Group for reporting this issue to us.

Response Matrix:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
vCenter Server
7.0
Any
CVE-2021-22049
N/A
N/A
Unaffected
N/A
N/A
vCenter Server
6.7
Any
CVE-2021-22049
moderate
None
None
vCenter Server
6.5
Any
CVE-2021-22049
moderate
None
None

Impacted Product Suites that Deploy Response Matrix 3b Components:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Cloud Foundation (vCenter Server)
4.x
Any
CVE-2021-22049
N/A
N/A
Unaffected
N/A
N/A
Cloud Foundation (vCenter Server)
3.x
Any
CVE-2021-22049
moderate
Patch Pending
None
None
4. References
5. Change Log

2021-11-23 VMSA-2021-0027
Initial security advisory.

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 

 

This Security Advisory is posted to the following lists:  

security-announce@lists.vmware.com  

bugtraq@securityfocus.com  

fulldisclosure@seclists.org 

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055 

 

VMware Security Advisories

https://www.vmware.com/security/advisories 

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2021 VMware Inc. All rights reserved.