VMware VMSA-2021-0027 | Runecast Analyzer
On the 24th of November, VMware announced VMware Security Advisory (VMSA). Unlike September’s announcement, this one only covers 2 Common Vulnerabilities and Exposures (CVE).
CVEs like this provide definitions for publicly disclosed cybersecurity vulnerabilities and exposures, and this VMSA provides VMware’s resolution information.
The latest Runecast Knowledge Definition Update version 5.1.2.6, released 25 November, covers these CVEs and is already available for download. Customers with automatic updates enabled will receive the new definitions during the next update cycle, with offline updates available through the Runecast customer portal.
Once again Runecast reacts to a VMware Security Announcement within 24 hours, deploying a new update and keeping your environments safe and secure as quickly as possible.
We hope that these blog announcements are helpful. Sometimes the abundance of technical information in a security advisory means that it can be hard to fully understand the impact that the vulnerabilities and the fixes might have on your environment. If you’re not sure what this means for your or your environments please contact us and we’ll be happy to discuss it with you.
The two CVEs are covered in detail below.
File read vulnerability in the vSphere Web Client (CVE-2021-21980)
The vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file read vulnerability. VMware has evaluated the severity of this vulnerability to be important. In order to exploit this vulnerability a malicious actor could use port 443 on the vCenter Server to gain access to sensitive information.
This CVE affects vCenter Server versions 6.5 and 6.3 and the fixed versions are available for download. vCenter Server versions running 7.x are not affected, as vCenter Server vSphere Web Client (FLEX/Flash) is not available in vCenter Server 7.x.
This CVE also affects the Cloud Foundation vCenter Server version 3. A patch is pending for this software, but at the time of publishing was not listed as available on VMware’s website. There are no known workarounds for this issue.
SSRF vulnerability in the vSphere Web Client (CVE-2021-22049)
The vSphere Web Client (FLEX/Flash) contains an SSRF (Server Side Request Forgery) vulnerability in the vSAN Web Client (vSAN UI) plug-in. VMware has evaluated the severity of this vulnerability to be moderate. A malicious actor with access to port 443 on vCenter Server could exploit this issue by accessing a URL request outside of vCenter Server, or accessing an internal service.
Please note, as above, that vCenter Server versions running 7.x are not affected by this CVE, due to their lack of FLEX/Flash.
This CVE affects vCenter Server versions 6.5 and 6.3 and the fixed versions are available for download. This CVE also affects the Cloud Foundation vCenter Server version 3. A patch is pending for this software, but at the time of publishing was not listed as available on VMware’s website. There are no known workarounds for this issue.
As always, if you have any questions you can reach out to us via our contact us form or on Twitter with any feedback.
Meet other Runecasters here:
Get a free 14-day trial of Runecast
Try Runecast Analyzer's secure, on-premises cloud transparency in your VMware, AWS & Kubernetes environment free for 14 days.