Description

VMware has released security updates to fix unauthorized access flaws (CVE-2021-21980 & CVE-2021-22049) in VMware vCenter Server and Cloud Foundation.

Affected products and versions are as follows:

• VMware vCenter Server

  • versions 6.7 prior to 6.7 U3p

  • versions 6.5 prior to 6.5 U3r

• Cloud Foundation (vCenter Server)

  • versions 3.x prior to 3.10.2.2

VMware vCenter Server 7.0 and Cloud Foundation (vCenter Server) 4.x are not affected.

Security Risks

A remote attacker with network access to port 443 on vCenter Server may execute commands with unrestricted privileges on a vulnerable system and access an internal service or sensitive information. For more details, please refer to VMware Security Advisory.

Recommended Actions

The National Cyber Security Authority (NCSA) recommends all system administrators, who use VMware web clients to:

• Immediately apply the latest security patches to the vCenter Server version currently in use, which will eventually update other plugins to new version

For further information and support, please contact the National Cyber Security Authority (NCSA) by emailto rwcsirt@ncsa.gov.rw or call us on 9009

References

VMware Security Advisory

CVE-2021-21980

CVE-2021-22049