VMware fixes SSRF, arbitrary file reading flaws in vCenter Server


Adam Bannister November 24, 2021 at 13:33 UTC

Updated: November 24, 2021 at 15:46 UTC

Both “significant” severity faults reside in the vSphere Web Client

VMware has released security updates for vCenter Server after addressing the Arbitrary File Read and Server-Side Request Forgery (SSRF) vulnerabilities in the vSphere Web Client (FLEX / Flash).

Companies running vulnerable instances of the server management platform were urged to apply the relevant updates by a security advisory released yesterday (November 23).

Both defects were rated as “significant” in terms of severity.

Learn about the latest corporate security news

With a CVSS rating of 7.5, the most serious is the arbitrary file read bug (CVE-2021-21980), the abuse of which could potentially allow a malicious actor to gain access to sensitive information.

The SSRF vulnerability (CVE-2021-22049), which has a CVSS of 6.5, was more specifically found in the vSAN Web Client plugin (vSAN UI).

An attacker could exploit this flaw by accessing an internal service or a URL request outside of vCenter Server.

Security Updates

VMware has released security updates that correct both vulnerabilities for vCenter Server versions 6.5 and 6.7.

The version 7.x line, which cannot use the vSphere Web Client (FLEX / Flash), is not affected by the vulnerabilities.

ADVISED Research has come a long way, but gaps remain – security researcher Artur Janc on the state of XS-Leaks

Fixes for both bugs are pending for Cloud Foundation version 3.x, while version 4.x is unaffected.

VMware thanked “ch0wn” from Orz Lab for reporting the arbitrary file read issue and “magiczero” from QI-ANXIN group for reporting SSRF.

Main target

Of the five server virtualization products with the largest market share, three are VMware platforms, with vSphere the market leader and vCenter Server in fifth, according to Statista.

Combined with the slowness of many companies to apply updates, VMware’s dominance in the server virtualization market has made its products in this area a prime target for sophisticated attackers.

In September, The daily sip reported active exploitation of another critical arbitrary file upload vulnerability in vCenter Server.

And in June, it emerged that thousands of vCenter Server instances still had not been patched for a pair of critical vulnerabilities in the vSphere Client (HTML5) three weeks after their disclosure.

Earlier, in February, The daily sip reported that an even greater number of vCenter installations were potentially at risk because attackers probed systems for the presence of a critical RCE bug.

YOU MAY ALSO LIKE Researcher finds SSRF bug in internal Google Cloud project, gets $ 10,000 bounty


Comments are closed.