VMware have released more fixes for multiple vulnerabilities that have been privately reported to them within vCenter. They have provided patches to address the issues found. We strongly advise customers to apply the patches as soon as possible.
Advisory ID: VMSA-2021-0027
CVSSv3 Range: 6.5-7.5
Issue Date: 2021-11-23
Updated On: 2021-11-23 (Initial Advisory)
CVE(s): CVE-2021-21980, CVE-2021-22049
Synopsis: VMware vCenter Server updates address arbitrary file read and SSRF vulnerabilities (CVE-2021-21980, CVE-2021-22049)
1. Impacted Products
- VMware vCenter Server (vCenter Server)
- VMware Cloud Foundation (Cloud Foundation)
2. Introduction
Multiple vulnerabilities in VMware vCenter Server were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.
3a. vCenter Server updates address arbitrary file read vulnerability in the vSphere Web Client (CVE-2021-21980)
Description
The vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file read vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.
Known Attack Vectors
A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information.
Resolution
To remediate CVE-2021-21980 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
Workarounds
None.
Additional Documentation
None.
Notes
vCenter Server vSphere Web Client (FLEX/Flash) is not available in vCenter Server 7.x, therefore this issue is not applicable to vCenter Server 7.x release line.
Acknowledgements
VMware would like to thank ch0wn of Orz lab for reporting this issue to us.
Response Matrix:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| vCenter Server | 7.0 | Any | CVE-2021-21980 | N/A | N/A | Unaffected | N/A | N/A |
| vCenter Server | 6.7 | Any | CVE-2021-21980 | 7.5 | Important | 6.7 U3p | None | None |
| vCenter Server | 6.5 | Any | CVE-2021-21980 | 7.5 | Important | 6.5 U3r | None | None |
Impacted Product Suites that Deploy Response Matrix 3a Components:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| Cloud Foundation (vCenter Server) | 4.x | Any | CVE-2021-21980 | N/A | N/A | Unaffected | N/A | N/A |
| Cloud Foundation (vCenter Server) | 3.x | Any | CVE-2021-21980 | 7.5 | Important | Patch Pending | None | None |
3b. vCenter Server updates address SSRF vulnerability in the vSphere Web Client (CVE-2021-22049)
Description
The vSphere Web Client (FLEX/Flash) contains an SSRF (Server Side Request Forgery) vulnerability in the vSAN Web Client (vSAN UI) plug-in. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.
Known Attack Vectors
A malicious actor with network access to port 443 on vCenter Server may exploit this issue by accessing a URL request outside of vCenter Server or accessing an internal service.
Resolution
To remediate CVE-2021-22049 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
Workarounds
None.
Additional Documentation
None.
Notes
vCenter Server vSphere Web Client (FLEX/Flash) is not available in vCenter Server 7.x, therefore this issue is not applicable to vCenter Server 7.x release line.
Acknowledgements
VMware would like to thank lmagiczero for reporting this issue to us.
Response Matrix:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| vCenter Server | 7.0 | Any | CVE-2021-22049 | N/A | N/A | Unaffected | N/A | N/A |
| vCenter Server | 6.7 | Any | CVE-2021-22049 | 6.5 | Moderate | 6.7 U3p | None | None |
| vCenter Server | 6.5 | Any | CVE-2021-22049 | 6.5 | Moderate | 6.5 U3r | None | None |
Impacted Product Suites that Deploy Response Matrix 3b Components:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| Cloud Foundation (vCenter Server) | 4.x | Any | CVE-2021-22049 | N/A | Unaffected | KB85254 | N/A | N/A |
| Cloud Foundation (vCenter Server) | 3.x | Any | CVE-2021-22049 | Moderate | Patch Pending | KB85254 | None | None |
4. References
Fixed Version(s) and Release Notes:
vCenter Server 6.7 U3p
Downloads and Documentation:
https://customerconnect.vmware.com/en/downloads/details?downloadGroup=VC67U3P&productId=742&rPId=78421
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3p-release-notes.html
vCenter Server 6.5 U3r
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC65U3R&productId=614&rPId=74057
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u3r-release-notes.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21980
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22049
FIRST CVSSv3 Calculator:
CVE-2021-21980: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2021-22049: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
5. Change Log
2021-11-23 VMSA-2021-0027
Initial security advisory.
