Advisory No: TZCERT/SA/2021/05/27
Date of First Release: 27th May 2021
- VMware vCenter Server (vCenter Server)
- VMware Cloud Foundation (Cloud Foundation)
Multiple vulnerabilities exist in vSphere Client (HTML5) that could cause remote code execution (CVE-2021-21985) and perform actions allowed by Virtual SAN Health Check plug-in without authentication (CVE-2021-21986).
The vSphere Client (HTML5) contains a remote code execution (CVE-2021-21985) vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in enabled in the vCenter server by default.
Similarly, the client contains another authentication vulnerability (CVE-2021-21986) for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins that could allow an attacker to bypass authentication and perform actions supported by the plug-ins.
Successful exploitation of these vulnerabilities could lead to remote code execution and authentication bypass on the affected system.
VMware has issued both security updates to address the affected products. Users and administrators are advised to apply necessary updates (Vcenter server (7.0 U2b, 6.7 U3n, 6.5 U3p), Cloud Foundation ( 4.2.1 and .10.2.1)) on affected products.