VMware on Tuesday posted a new bulletin warning of as many as 19 vulnerabilities in vCenter Server and Cloud Basis appliances that a distant attacker could get manage of an influenced system.
The most urgent among the them is an arbitrary file upload vulnerability in the Analytics provider (CVE-2021-22005) that impacts vCenter Server 6.7 and 7. deployments. “A destructive actor with network obtain to port 443 on vCenter Server might exploit this issue to execute code on vCenter Server by uploading a specially crafted file,” the company noted, adding “this vulnerability can be applied by anybody who can arrive at vCenter Server about the network to attain obtain, irrespective of the configuration settings of vCenter Server.”
Despite the fact that VMware has posted workarounds for the flaw, the organization cautioned that they are “intended to be a temporary solution right up until updates […] can be deployed.”
The total list of flaws patched by the virtualization expert services service provider is as follows —
- CVE-2021-22005 (CVSS score: 9.8) – vCenter Server file add vulnerability
- CVE-2021-21991 (CVSS rating: 8.8) – vCenter Server community privilege escalation vulnerability
- CVE-2021-22006 (CVSS score: 8.3) – vCenter Server reverse proxy bypass vulnerability
- CVE-2021-22011 (CVSS score: 8.1) – vCenter server unauthenticated API endpoint vulnerability
- CVE-2021-22015 (CVSS score: 7.8) – vCenter Server inappropriate permission area privilege escalation vulnerabilities
- CVE-2021-22012 (CVSS score: 7.5) – vCenter Server unauthenticated API information disclosure vulnerability
- CVE-2021-22013 (CVSS rating: 7.5) – vCenter Server file path traversal vulnerability
- CVE-2021-22016 (CVSS score: 7.5) – vCenter Server reflected XSS vulnerability
- CVE-2021-22017 (CVSS rating: 7.3) – vCenter Server rhttpproxy bypass vulnerability
- CVE-2021-22014 (CVSS score: 7.2) – vCenter Server authenticated code execution vulnerability
- CVE-2021-22018 (CVSS rating: 6.5) – vCenter Server file deletion vulnerability
- CVE-2021-21992 (CVSS score: 6.5) – vCenter Server XML parsing denial-of-service vulnerability
- CVE-2021-22007 (CVSS score: 5.5) – vCenter Server nearby data disclosure vulnerability
- CVE-2021-22019 (CVSS rating: 5.3) – vCenter Server denial of assistance vulnerability
- CVE-2021-22009 (CVSS score: 5.3) – vCenter Server VAPI numerous denial of provider vulnerabilities
- CVE-2021-22010 (CVSS score: 5.3) – vCenter Server VPXD denial of service vulnerability
- CVE-2021-22008 (CVSS rating: 5.3) – vCenter Server data disclosure vulnerability
- CVE-2021-22020 (CVSS rating: 5.) – vCenter Server Analytics support denial-of-provider vulnerability
- CVE-2021-21993 (CVSS rating: 4.3) – vCenter Server SSRF vulnerability
Credited with reporting most of the flaws are George Noseevich and Sergey Gerasimov of SolidLab LLC, along with Hynek Petrak of Schneider Electric powered, Yuval Lazar of Pentera, and Osama Alaa of Malcrove.
“The ramifications of [CVE-2021-22005] are really serious and it is a make a difference of time – probable minutes following the disclosure – ahead of performing exploits are publicly obtainable,” VMware reported in an FAQ urging buyers to straight away update their vCenter installations.
“With the danger of ransomware looming today the most secure stance is to believe that an attacker may perhaps presently have regulate of a desktop and a person account by way of the use of techniques like phishing or spear-phishing, and act appropriately. This usually means the attacker may perhaps presently be capable to get to vCenter Server from within a corporate firewall, and time is of the essence,” the business added.
Found this post attention-grabbing? Stick to THN on Facebook, Twitter and LinkedIn to examine more distinctive material we post.
Some sections of this short article are sourced from: