VMware (opens in new tab) has patched over a dozen vulnerabilities in its flagship products, one of which is a critical file upload vulnerability that can be used to execute commands and software on the vCenter Server appliance.
The critical bug, tracked as CVE-2021-22005, is the third vCenter vulnerability this year that’s rated 9.8/10 in severity, and is part of the 19 that plague VMware’s vCenter, vSphere, and Cloud Foundation product lines.
"A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file," states VMware's advisory (opens in new tab).
- These are the best ransomware protection tools (opens in new tab)
- Protect your devices with these best antivirus software (opens in new tab)
- We've put together a list of the best endpoint protection (opens in new tab) software
The vulnerabilities affect vSphere v6.5, Cloud Foundation 3.x and 4.x, vCenter Server 6.7 and 7.0 releases, and the advisory urges users of these versions to patch their instances without delay.
In a blog post (opens in new tab) about the vulnerabilities, VMware’s technical marketing architect, Bob Plankers points out that users must patch CVE-2021-22005 immediately since it “can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server.”
While VMware’s advisory doesn’t mention if any of the vulnerabilities have been exploited in the wild, recent vCenter flaws, like the vSphere client bug (opens in new tab) patched earlier this year in May, were.
Reporting on the development, The Register notes that despite the critical nature of CVE-2021-22005 the company has urged users to look at patching the other flaws as well.
While most of them can’t be exploited remotely, lessening their impact, many of them can be exploited to do considerable damage.
- Here’s our roundup of the best patch management tools (opens in new tab)
Via The Register (opens in new tab)