• VMware vCenter Server (vCenter Server)
  
• VMware Cloud Foundation (Cloud Foundation)
  

Multiple vulnerabilities in VMware vCenter Server were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

The vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file read vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information.

To remediate CVE-2021-21980 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.

None.

None.

vCenter Server vSphere Web Client (FLEX/Flash) is not available in vCenter Server 7.x, therefore this issue is not applicable to vCenter Server 7.x release line.

VMware would like to thank ch0wn of Orz lab for reporting this issue to us.

The vSphere Web Client (FLEX/Flash) contains an SSRF (Server Side Request Forgery) vulnerability in the vSAN Web Client (vSAN UI) plug-in. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.

A malicious actor with network access to port 443 on vCenter Server may exploit this issue by accessing a URL request outside of vCenter Server or accessing an internal service.

To remediate CVE-2021-22049 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.

None.

None.

vCenter Server vSphere Web Client (FLEX/Flash) is not available in vCenter Server 7.x, therefore this issue is not applicable to vCenter Server 7.x release line.

VMware would like to thank magiczero from SGLAB of Legendsec at Qi'anxin Group for reporting this issue to us.

Fixed Version(s) and Release Notes:

vCenter Server 6.7 U3p
Downloads and Documentation:
https://customerconnect.vmware.com/en/downloads/details?downloadGroup=VC67U3P&productId=742&rPId=78421
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3p-release-notes.html

vCenter Server 6.5 U3r
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC65U3R&productId=614&rPId=74057
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u3r-release-notes.html

VMware Cloud Foundation 3.11
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.11/rn/VMware-Cloud-Foundation-311-Release-Notes.html

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21980 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22049

FIRST CVSSv3 Calculator:
CVE-2021-21980: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2021-22049: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

2021-11-23 VMSA-2021-0027
Initial security advisory.

2022-02-15 VMSA-2021-0027.1

Updated security advisory to add Cloud Foundation 3.x fixed version in the response matrix of 3a & 3b.

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 

This Security Advisory is posted to the following lists:  

[email protected]  

[email protected]  

[email protected] 

E-mail: [email protected]

PGP key at:

https://kb.vmware.com/kb/1055 

VMware Security Advisories

https://www.vmware.com/security/advisories 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

Twitter

https://twitter.com/VMwareSRC

Copyright 2021 VMware Inc. All rights reserved.