VMware has released security updates for vCenter Server after fixing arbitrary file read and server-side request forgery (SSRF) vulnerabilities in the vSphere Web Client (FLEX/Flash).
Enterprises running vulnerable instances of the server management platform have been advised to apply relevant updates by a security advisory issued yesterday (November 23).
Both flaws were designated as ‘important’ in terms of severity.
With a CVSS rating of 7.5, the most severe is the arbitrary file read bug (CVE-2021-21980), abuse of which could potentially enable a malicious actor to gain access to sensitive information.
The SSRF vulnerability (CVE-2021-22049), which has a CVSS of 6.5, was more specifically found in the vSAN Web Client (vSAN UI) plugin.
An attacker could exploit this flaw by accessing an internal service or URL request outside of vCenter Server.
Security updates
VMware has released security updates that address both flaws for vCenter Server versions 6.5 and 6.7.
The 7.x release line, which cannot use vSphere Web Client (FLEX/Flash), is unaffected by the flaws.
Patches for both bugs are pending for Cloud Foundation’s 3.x release line, while 4.x is unaffected.
VMware thanked ‘ch0wn’ of Orz lab for reporting the arbitrary file read issue and ‘magiczero’ from the QI-ANXIN Group for reporting the SSRF.
Prime target
Of the five server virtualization products with the biggest market share, three are VMware platforms, with vSphere the market leader and vCenter Server ranking fifth, according to Statista.
Together with many enterprises’ slowness to apply updates, VMware’s dominance of the server virtualization market has made its products in this arena prime targets for sophisticated attackers.
In September, The Daily Swig reported on the active exploitation of another, critical arbitrary file upload flaw in vCenter Server.
And in June it emerged that thousands of vCenter Server instances remained unpatched for a pair of critical flaws in vSphere Client (HTML5) three weeks after their disclosure.
Earlier, in February, The Daily Swig reported that an even greater number of vCenter installations were potentially at risk as attackers probed systems for the presence of a critical RCE bug.
Source: https://portswigger.net/daily-swig/vmware-addresses-ssrf-arbitrary-file-read-flaws-in-vcenter-server
