Menu
VMware have been privately informed about multiple vulnerabilities in the vSphere Client (HTML). The vulnerabilities have been denoted as CVE-2021-21985 and CVE-2021-21986.
The vulnerabilities cover remote code execution and authentication and have been scored between 6.5-9.8 on the common vulnerability scoring system (CVSSv3), where scoring ranges from 0–10; 0 being Low and 10 being Critical.
This vulnerability affects the Virtual SAN Health Check plug-in. This plug-in is enabled by default in vCentre Server. An attacker with network access on port 443 may exploit the vulnerability to execute unrestricted privileges on the OS hosting vCenter Server. This is affecting vCentre versions 6.5, 6.7, and 7.0 as well as Cloud Foundation 3.x and 4.x on any version of operating system.
To remediate against this CVE, the versions of VMware must be updated to the following versions, available at the links below:
This vulnerability affects multiple vSphere Client (HTML) plug-ins. The plugs that are affect are the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. A malicious actor with network access to port 443 on vCentre Server may perform actions that these plug-ins are design to facilitate, without authentication. This is affecting vCentre versions 6.5, 6.7, and 7.0 as well as Cloud Foundation 3.x and 4.x on any version of operating system.
To remediate against this CVE, the versions of VMware must be updated to the following versions, available at the links below:
A temporary solution to these vulnerabilities is to disable the affected plug-ins. The affect this will have is that the functions provided by the plug-ins will immediately be unavailable. To disable the plug-ins, follow the below steps.
PLEASE NOTE: It is not sufficient to disable the plugin from within the UI. The plug-ins will still be exploitable if disabled via the UI. Using the compatibility-matrix.xml file, it is possible to enter lines that force the plug-in to act as ‘incompatible’, the compatibility-matrix.xml file can be located in the following directories:
vSphere Environment Setup | vSphere Client | vSphere Web Client |
vCenter Server for Windows | C:\ProgramData\VMware\vCenterServer\cfg\vsphere-ui | C:\ProgramData\VMware\vCenterServer\cfg\vsphere-client |
vCenter Server Appliance | /etc/vmware/vsphere-ui | /etc/vmware/vsphere-client |
Add the lines below to the compatibility-matrix.xml file to ‘disable’ each individual plugin:
Plugin Name | Configuration Line |
VMware vRops Client Plugin | <PluginPackage id=”com.vmware.vrops.install” status=”incompatible”/> |
VMware vSAN H5 Client Plugin | <PluginPackage id=”com.vmware.vsphere.client.h5vsan” status=”incompatible”/> |
Site Recovery | <PluginPackage id=”com.vmware.vrUi” status=”incompatible”/> |
VMware vSphere Life-cycle Manager | <PluginPackage id=”com.vmware.vum.client” status=”incompatible”/> |
VMware Cloud Director Availability | <PluginPackage id=”com.vmware.h4.vsphere.client” status=”incompatible”/> |
To check the status of the plug-in check the following in the vSphere Client UI under Administration > Solutions > client-plugins. The plug-ins should show as ‘incompatible’.
