Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

VMware Warns of Critical Remote Code Execution Hole In vCenter (zdnet.com) 15

An anonymous reader quotes a report from ZDNet: VMware is urging its vCenter users to update vCenter Server versions 6.5, 6.7, and 7.0 immediately, after a pair of vulnerabilities were reported privately to the company. The most pressing is CVE-2021-21985, which relates to a remote code execution vulnerability in a vSAN plugin enabled by default in vCenter that an attacker could use to run whatever they wished on the underlying host machine, provided they can access port 443. Even if users do not use vSAN, they are likely to be affected because the vSAN plugin is enabled by default. "This needs your immediate attention if you are using vCenter Server," VMware said in a blog post.

The second vulnerability, CVE-2021-21986, would allow an attacker to perform actions allowed by plugins without authentication. "The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins," VMware said. In terms of CVSSv3 scores, CVE-2021-21985 hit an 9.8, while CVE-2021-21986 was scored as 6.5.

This discussion has been archived. No new comments can be posted.

VMware Warns of Critical Remote Code Execution Hole In vCenter

Comments Filter:
  • All the Cloud BS is such a bad idea for any company big enough to know the difference.

    • +1000 Someday (I hope soon) companies will put back security and clients privacy a top priority by reverting back their mission criticals systems in-house. Until then, each time I see a news like this I laught a lot, open a beer, grab a popcorn bag and watch the show...

  • Ugh. I hate signing into modern vSphere/vCenter. It takes over two minutes to load a single webpage and pull down a short list of VMs. The installable C# client was far faster and superior to the HTML5 client in every way that mattered.

    Am I shocked that there's a critical vulnerability in the vSphere HTML5 client software? Nope. Not one bit.

  • Some software will never be upgraded. What is the best practices solution for handling all that old software? Some hospitals put vulnerable systems on a protected VPN or isolated network, but you can't force all vulnerable systems onto another network if you do not own the systems or networks and that often breaks things in unpredictable ways or makes them unusable. Until there is a solution for this, every newly discovered vulnerability remains a threat for a decade or more and cyberspace will continual

There's no sense in being precise when you don't even know what you're talking about. -- John von Neumann

Working...