VMware has published security upgrades for the vCenter Server after addressing arbitrary file read and server-side request forgery (SSRF) vulnerabilities in the vSphere Web Client (FLEX/Flash).
A VMWare security alert was released on November 23 and the US Cybersecurity and Infrastructure Security Agency (CISA) also encouraged enterprises to use vulnerable instances of the server management platform to deploy required upgrades.
In terms of severity, both flaws were labelled as 'important.' The most serious, with a CVSS rating of 7.5, is the arbitrary file read flaw (CVE-2021-21980), which if exploited might allow a nefarious attacker to get access to sensitive data. The SSRF vulnerability (CVE-2021-22049) was discovered in the vSAN Web Client (vSAN UI) plugin, with a CVSS of 6.5. An attacker might take advantage of this vulnerability by gaining access to an internal service or making a URL request from outside of the vCenter Server.
VMware has released security updates for vCenter Server versions 6.5 and 6.7 that address both vulnerabilities.
The issues do not impact the 7.x release line, which cannot utilise vSphere Web Client (FLEX/Flash).Cloud Foundation's 3.x release line is still waiting for patches for both problems, whereas 4.x is untouched.
VMware acknowledged Orz lab's 'ch0wn' for disclosing the arbitrary file read issue and the QI-ANXIN Group's'magiczero for reporting the SSRF.
As per Statista, three of the top five server virtualization systems with the largest market share are VMware platforms, with vSphere leading the pack and vCenter Server ranking fifth.
VMware's dominance in the server virtualization market, along with many organisations' latency to implement upgrades, has made its systems great targets for skilled attackers.
The Daily Swig revealed in September that another significant arbitrary file upload flaw in the vCenter Server was being exploited.
In June, it was revealed that thousands of vCenter Server instances remained unpatched for three weeks after a pair of serious issues in the vSphere Client (HTML5) were discovered.