The firm has issued updates for three flaws present across its VMware ESXi bare-metal hypervisor and vSphere Client virtual infrastructure management platform, including a severe bug rated 9.8 out of ten on the CVSS scale.
This vulnerability, tracked as CVE-2021-21972, is embedded in a vCenter Server plugin in the vSphere Client. Attackers with network access to port 443 may exploit this to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
Also patched is CVE-2021-21974, which is a heap buffer overflow vulnerability in the OpenSLP component of ESXi and is also rated a severe 8.8. Cyber criminals lying dormant within the same network segment as ESXi, also with access to port 427, may trigger the issue in OpenSLP which could also result in remote code execution.
Finally, CVE-2021-21973 is a server-side request forgery (SSRF) flaw in vSphere Client which has arisen due to improper validation of URLs in a vCenter Server plugin. This is not as severe as the other two bugs, having only been rated 5.3, but can also be exploited by those with access to port 443 to leak information.
There are workarounds that users can deploy for both CVE-2021-21972 and CVE-2021-21973 that are detailed here until a fix is deployed by the system administrator.
Users can patch these flaws, however, by updating the products to the most recent versions. These include 7.0 U1c, 6.7U3I and 6.5 U3n of vCenter Server, 4.2 and 184.108.40.206 of Cloud Foundation, as well as ESXi70U1c-17325551, ESXi670-202102401-SG and ESXi650-202102101-SG of ESXi.
These vulnerabilities were privately brought to the attention of VMware and customers are urged to patch their systems immediately.
Edge-enabled mobility of the future
Turning vehicle data into value
Modern networking for the borderless enterprise
Five ways top organisations are optimising networking at the edge
Address multi-cloud configuration risks
Cloud security challenges and how to overcome them
The total economic impact of IBM Security Verify
Cost savings and business benefits enabled by IBM Security Verify
See the original article here: ITPro