A new VMware security advisory has been released including one arbitrary file read and a Server Side Request Forgery vulnerability in the vSphere Web Client, with a CVSSv3 base score of 7.5 and 6.5 patching affected vCenter servers is advised.
Arbitrary File Read Vulnerability in the vSphere Web Client
The first vCenter vulnerability disclosed in the VMware security advisory is CVE-2021-21980. This is an issue in the vSphere Web Client (FLEX/Flash) component and has a base CVSSv3 base score of 7.5. This unauthorized arbitrary file read vulnerability can be abused by an attacker when they have access to network port 443 on the vCenter server.
The vulnerability affects both vCenter server 6.5 and vCenter server 6.7 but does not affect vCenter server 7.x. The affected vSphere Web Client (FLEX/Flash) component is not available in version 7.x, therefore it is not affected.
SSRF Vulnerability in the Vsphere Web Client
CVE-2021-22049 is the second vulnerability disclosed. This vulnerability has a CVSSv3 base score of 6.5 and affects the same vCenter server versions as listed above. Additionally, it also does not affect version 7.x.
Similar to the arbitrary file read vulnerability, this Server Side Request Forgery (SSRF) vulnerability can be exploited if an attacker has access to port 443 on the vCenter Server but requires the attacker to either access a URL request outside of vCenter server or accessing an internal service.
Manage Your vCenter Server Versions
The best way to manage your vCenter environment is by having a complete overview of it to begin with. To help you combat this vulnerability, we've created a special color-coded report which lists all of your vCenter Servers along with their version and build number so you know exactly which servers still require an update and which servers are safe. You can find the updates required in the VMware security advisory.