VMware vCenter Server updates address arbitrary file read and SSRF vulnerabilities (CVE-2021-21980, CVE-2021-22049)

1. Impacted Products

• VMware vCenter Server (vCenter Server)

• VMware Cloud Foundation (Cloud Foundation)

2. Introduction

Multiple vulnerabilities in VMware vCenter Server were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

3a. vCenter Server updates address arbitrary file read vulnerability in the vSphere Web Client (CVE-2021-21980)

Description

The vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file read vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information.

Resolution

To remediate CVE-2021-21980 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.

Workarounds

None.

Additional Documentation

None.

Notes

vCenter Server vSphere Web Client (FLEX/Flash) is not available in vCenter Server 7.x, therefore this issue is not applicable to vCenter Server 7.x release line.

Acknowledgements

VMware would like to thank ch0wn of Orz lab for reporting this issue to us.