VMware Security Announcement VMSA-2021-0010 CVSSv3 score range 6.5 to 9.8
May 25, 2021
Hi everyone,
An urgent post for anyone on vCenter 6.5, 6.7 or 7.0!
NOTE: The information below is a snapshot of the VMSA-2021-0010 page, and this page may not be updated anymore after the post. For the latest information, I redirect you to the VMSA-2021-0010 link.
UPDATE: VMware just made a blog post with advise, questions, workarounds and more. You can find it here .
VMSA-2021-0010 has just been released, addressing:
VMware vCenter Server updates address remote code execution vulnerability in the vSphere Client (CVE-2021-21985) (CVSSv3 9.8)
Description
The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
Known Attack Vectors
A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
Resolution
To remediate CVE-2021-21985 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
Workarounds
Workarounds for CVE-2021-21985 have been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.
Additional Documentation
None.
Notes
The affected Virtual SAN Health Check plug-in is enabled by default in all vCenter Server deployments, whether or not vSAN is being used.
A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2021-0010-blog
Acknowledgements
VMware would like to thank Ricter Z of 360 Noah Lab for reporting this issue to us.
Response Matrix:
Product
<td>
Version
</td>
<td>
Running On
</td>
<td>
CVE Identifier
</td>
<td>
CVSSv3
</td>
<td>
Severity
</td>
<td>
Fixed Version
</td>
<td>
Workarounds
</td>
<td>
Additional Documentation
</td>
vCenter Server
<td>
7.0
</td>
<td>
Any
</td>
<td>
CVE-2021-21985
</td>
<td>
<a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" target="_blank" rel="noreferrer noopener">9.8</a>
</td>
<td>
critical
</td>
<td>
<a href="https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u2b-release-notes.html" target="_blank" rel="noreferrer noopener">7.0 U2b</a>
</td>
<td>
<a href="https://kb.vmware.com/s/article/83829" target="_blank" rel="noreferrer noopener">KB83829</a>
</td>
<td>
<a href="https://via.vmw.com/vmsa-2021-0010-faq" target="_blank" rel="noreferrer noopener">FAQ</a>
</td>
vCenter Server
<td>
6.7
</td>
<td>
Any
</td>
<td>
CVE-2021-21985
</td>
<td>
<a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" target="_blank" rel="noreferrer noopener">9.8</a>
</td>
<td>
critical
</td>
<td>
<a href="https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3n-release-notes.html" target="_blank" rel="noreferrer noopener">6.7 U3n</a>
</td>
<td>
<a href="https://kb.vmware.com/s/article/83829" target="_blank" rel="noreferrer noopener">KB83829</a>
</td>
<td>
<a href="https://via.vmw.com/vmsa-2021-0010-faq" target="_blank" rel="noreferrer noopener">FAQ</a>
</td>
vCenter Server
<td>
6.5
</td>
<td>
Any
</td>
<td>
CVE-2021-21985
</td>
<td>
<a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" target="_blank" rel="noreferrer noopener">9.8</a>
</td>
<td>
critical
</td>
<td>
<a href="https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u3p-release-notes.html" target="_blank" rel="noreferrer noopener">6.5 U3p</a>
</td>
<td>
<a href="https://kb.vmware.com/s/article/83829" target="_blank" rel="noreferrer noopener">KB83829</a>
</td>
<td>
<a href="https://via.vmw.com/vmsa-2021-0010-faq" target="_blank" rel="noreferrer noopener">FAQ</a>
</td>
Impacted Product Suites that Deploy Response Matrix 3a Components:
Product
<td>
Version
</td>
<td>
Running On
</td>
<td>
CVE Identifier
</td>
<td>
CVSSv3
</td>
<td>
Severity
</td>
<td>
Fixed Version
</td>
<td>
Workarounds
</td>
<td>
Additional Documentation
</td>
Cloud Foundation (vCenter Server)
<td>
4.x
</td>
<td>
Any
</td>
<td>
CVE-2021-21985
</td>
<td>
<a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" target="_blank" rel="noreferrer noopener">9.8</a>
</td>
<td>
critical
</td>
<td>
<a href="https://docs.vmware.com/en/VMware-Cloud-Foundation/4.2.1/rn/VMware-Cloud-Foundation-421-Release-Notes.html" target="_blank" rel="noreferrer noopener">4.2.1</a>
</td>
<td>
<a href="https://kb.vmware.com/s/article/83829" target="_blank" rel="noreferrer noopener">KB83829</a>
</td>
<td>
<a href="https://via.vmw.com/vmsa-2021-0010-faq" target="_blank" rel="noreferrer noopener">FAQ</a>
</td>
Cloud Foundation (vCenter Server)
<td>
3.x
</td>
<td>
Any
</td>
<td>
CVE-2021-21985
</td>
<td>
<a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" target="_blank" rel="noreferrer noopener">9.8</a>
</td>
<td>
critical
</td>
<td>
<a href="https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.2/rn/VMware-Cloud-Foundation-3102-Release-Notes.html#3.10.2.1" target="_blank" rel="noreferrer noopener">3.10.2.1</a>
</td>
<td>
<a href="https://kb.vmware.com/s/article/83829" target="_blank" rel="noreferrer noopener">KB83829</a>
</td>
<td>
<a href="https://via.vmw.com/vmsa-2021-0010-faq" target="_blank" rel="noreferrer noopener">FAQ</a>
</td>
And:
Authentication mechanism issue in vCenter Server Plug-ins (CVE-2021-21986) (CVSSv3 6.5)
Description
The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5 .
Known Attack Vectors
A malicious actor with network access to port 443 on vCenter Server may perform actions allowed by the impacted plug-ins without authentication.
Resolution
To remediate CVE-2021-21986 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
Workarounds
Workarounds for CVE-2021-21986 have been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.
Additional Documentation
None.
Notes
A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2021-0010-blog
Acknowledgements
None.
Response Matrix:
Product
<td>
Version
</td>
<td>
Running On
</td>
<td>
CVE Identifier
</td>
<td>
CVSSv3
</td>
<td>
Severity
</td>
<td>
Fixed Version
</td>
<td>
Workarounds
</td>
<td>
Additional Documentation
</td>
vCenter Server
<td>
7.0
</td>
<td>
Any
</td>
<td>
CVE-2021-21986
</td>
<td>
<a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" target="_blank" rel="noreferrer noopener">6.5</a>
</td>
<td>
moderate
</td>
<td>
<a href="https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u2b-release-notes.html" target="_blank" rel="noreferrer noopener">7.0 U2b</a>
</td>
<td>
<a href="https://kb.vmware.com/s/article/83829" target="_blank" rel="noreferrer noopener">KB83829</a>
</td>
<td>
<a href="https://via.vmw.com/vmsa-2021-0010-faq" target="_blank" rel="noreferrer noopener">FAQ</a>
</td>
vCenter Server
<td>
6.7
</td>
<td>
Any
</td>
<td>
CVE-2021-21986
</td>
<td>
<a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" target="_blank" rel="noreferrer noopener">6.5</a>
</td>
<td>
moderate
</td>
<td>
<a href="https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3n-release-notes.html" target="_blank" rel="noreferrer noopener">6.7 U3n</a>
</td>
<td>
<a href="https://kb.vmware.com/s/article/83829" target="_blank" rel="noreferrer noopener">KB83829</a>
</td>
<td>
<a href="https://via.vmw.com/vmsa-2021-0010-faq" target="_blank" rel="noreferrer noopener">FAQ</a>
</td>
vCenter Server
<td>
6.5
</td>
<td>
Any
</td>
<td>
CVE-2021-21986
</td>
<td>
<a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" target="_blank" rel="noreferrer noopener">6.5</a>
</td>
<td>
moderate
</td>
<td>
<a href="https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u3p-release-notes.html" target="_blank" rel="noreferrer noopener">6.5 U3p</a>
</td>
<td>
<a href="https://kb.vmware.com/s/article/83829" target="_blank" rel="noreferrer noopener">KB83829</a>
</td>
<td>
<a href="https://via.vmw.com/vmsa-2021-0010-faq" target="_blank" rel="noreferrer noopener">FAQ</a>
</td>
Impacted Product Suites that Deploy Response Matrix 3b Components:
Product
<td>
Version
</td>
<td>
Running On
</td>
<td>
CVE Identifier
</td>
<td>
CVSSv3
</td>
<td>
Severity
</td>
<td>
Fixed Version
</td>
<td>
Workarounds
</td>
<td>
Additional Documentation
</td>
Cloud Foundation (vCenter Server)
<td>
4.x
</td>
<td>
Any
</td>
<td>
CVE-2021-21986
</td>
<td>
<a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" target="_blank" rel="noreferrer noopener">6.5</a>
</td>
<td>
moderate
</td>
<td>
<a href="https://docs.vmware.com/en/VMware-Cloud-Foundation/4.2.1/rn/VMware-Cloud-Foundation-421-Release-Notes.html" target="_blank" rel="noreferrer noopener">4.2.1</a>
</td>
<td>
<a href="https://kb.vmware.com/s/article/83829" target="_blank" rel="noreferrer noopener">KB83829</a>
</td>
<td>
<a href="https://via.vmw.com/vmsa-2021-0010-faq" target="_blank" rel="noreferrer noopener">FAQ</a>
</td>
Cloud Foundation (vCenter Server)
<td>
3.x
</td>
<td>
Any
</td>
<td>
CVE-2021-21986
</td>
<td>
<a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" target="_blank" rel="noreferrer noopener">6.5</a>
</td>
<td>
moderate
</td>
<td>
<a href="https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.2/rn/VMware-Cloud-Foundation-3102-Release-Notes.html#3.10.2.1" target="_blank" rel="noreferrer noopener">3.10.2.1</a>
</td>
<td>
<a href="https://kb.vmware.com/s/article/83829" target="_blank" rel="noreferrer noopener">KB83829</a>
</td>
<td>
<a href="https://via.vmw.com/vmsa-2021-0010-faq" target="_blank" rel="noreferrer noopener">FAQ</a>
</td>
Fixed Version(s) and Release Notes:
vCenter Server 7.0 U2b https://my.vmware.com/en/web/vmware/downloads/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/7_0 https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u2b-release-notes.html
vCenter Server 6.7 U3n https://my.vmware.com/en/web/vmware/downloads/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_7 https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3n-release-notes.html
vCenter Server 6.5 U3p https://my.vmware.com/en/web/vmware/downloads/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_5 https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u3p-release-notes.html
VMware vCloud Foundation 4.2.1 https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VCF421&productId=1121&rPId=67576 https://docs.vmware.com/en/VMware-Cloud-Foundation/4.2.1/rn/VMware-Cloud-Foundation-421-Release-Notes.html
VMware vCloud Foundation 3.10.2.1 https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.2/rn/VMware-Cloud-Foundation-3102-Release-Notes.html#3.10.2.1
Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21985 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21986
FIRST CVSSv3 Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N