VMware issues emergency patch for critical security flaws

A man standing in front of a rack of servers inside a data center
(Image credit: Shutterstock.com / Gorodenkoff)

VMware has patched over a dozen vulnerabilities in its flagship products, one of which is a critical file upload vulnerability that can be used to execute commands and software on the vCenter Server appliance.

The critical bug, tracked as CVE-2021-22005, is the third vCenter vulnerability this year that’s rated 9.8/10 in severity, and is part of the 19 that plague VMware’s vCenter, vSphere, and Cloud Foundation product lines.

"A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file," states VMware's advisory.

The vulnerabilities affect vSphere v6.5, Cloud Foundation 3.x and 4.x, vCenter Server 6.7 and 7.0 releases, and the advisory urges users of these versions to patch their instances without delay.

Emergency change

In a blog post about the vulnerabilities, VMware’s technical marketing architect, Bob Plankers points out that users must patch CVE-2021-22005 immediately since it “can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server.”

While VMware’s advisory doesn’t mention if any of the vulnerabilities have been exploited in the wild, recent vCenter flaws, like the vSphere client bug patched earlier this year in May, were. 

Reporting on the development, The Register notes that despite the critical nature of CVE-2021-22005 the company has urged users to look at patching the other flaws as well.

While most of them can’t be exploited remotely, lessening their impact, many of them can be exploited to do considerable damage.

Via The Register

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.