PDS Cyber Security Advisory:
Advisory Regarding Critical Vulnerabilities in vCenter Server
Advisory Type: IT Security
PDS is providing the following communication to build awareness of a critical vulnerability and patch availability affecting VMware vCenter Server.
On May 25, 2021, VMware posted advisory VMSA-2021-0010 disclosing that vulnerabilities exist in VMware vCenter Server. The vulnerabilities involve remote code execution and authentication vulnerabilities; CVE-2021-21985 and CVE-20210-21986 have been assigned.
The vSphere Client in versions 6.5, 6.7, and 7.0, running HTML5, contains a lack of input validation which can result in the unauthenticated execution of commands. The issue is considered CRITICAL by VMware, with a CVSSv3 base score of 9.8. A malicious actor with access to port 443 could exploit the vulnerability to execute commands on the underlying operating system hosting vCenter Server.
Updates are available for the three listed versions to resolve the vulnerability. If updates can not be applied, there are workaround procedures referenced in the advisory.
We strongly advise customers to review the VMware advisory and patching information. PDS Architects are available to assist with the updates, your Account Director can assist in arranging support for this issue.