Issued: Thursday, 27 May, 2021 |
Last Revision: Thursday, 27 May, 2021 |
Vendor: |
Product: |
Severity Level: |
VMware has released security updates addressing two vulnerabilities affecting VMware vCenter server and VMware Cloud Foundation, which have been listed as CVE-2021-21985 and CVE-2021-21986.
CVE-2021-21985 is a remote code execution vulnerability affecting vSphere Client (HTML5), caused by a lack of input validation in the Virtual SAN Health Check plugin, which is enabled by default in vCenter Server. If exploited, this vulnerability could allow unauthenticated attackers to execute code on affected systems.
CVE-2021-21986 is an authentication mechanism issue in vSphere Client (HTML5) caused by missing authentication in Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plugins. If exploited successfully, this vulnerability could allow unauthenticated users to perform unauthorized actions allowed by the impacted plugins.
It is recommended to apply the latest security updates for VMware vCenter Server and VMware Cloud Foundation, which can be found at the link below, along with a blog post that VMware published to clarify on the subject:
- https://www.vmware.com/security/advisories/VMSA-2021-0010.html
- https://blogs.vmware.com/vsphere/2021/05/vmsa-2021-0010.html
VMware released an article on how to disable plugins, which could be used as a temporary mitigation measure until updates are applied: