Common Vulnerabilities and Exposures

CVE vulnerability data CVE-2021-21972

CVE-2021-21972

The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).

VMware vCenter Server updates address remote code execution vulnerability in the vSphere Client (CVE-2021-21972)

Description

The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

Known Attack Vectors

A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

Resolution

To remediate CVE-2021-21972 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.

Workarounds

Workarounds for CVE-2021-21972 have been listed in the 'Workarounds' column of the 'Response Matrix' below.

Notes

The affected vCenter Server plugin for vROPs is available in all default installations. vROPs does not need be present to have this endpoint available. Follow the workarounds KB to disable it.

Acknowledgements

VMware would like to thank Mikhail Klyuchnikov of Positive Technologies for reporting this issue to us.

Response Matrix:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
vCenter Server
7.0
Any
CVE-2021-21972
critical

 

None
vCenter Server
6.7
Any
CVE-2021-21972
critical

 

None
vCenter Server
6.5
Any
CVE-2021-21972
critical

 

None

Impacted Product Suites that Deploy Response Matrix 3a Components:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Cloud Foundation (vCenter Server)
4.x
Any
CVE-2021-21972
critical

 

4.2
None
Cloud Foundation (vCenter Server)
3.x
Any
CVE-2021-21972
critical

 

3.10.1.2
None

 

Access

Vector Complexity Authentication
NETWORK LOW NONE

Impact

Confidentiality Integrity Availability
COMPLETE COMPLETE COMPLETE

Exploitability v3.1

Attack Complexity Attack vector Privileges Required Scope User Interaction
LOW NETWORK NONE UNCHANGED NONE

Impact v3.1

Confidentiality Integrity Availability
HIGH HIGH HIGH
Related Articles