Security News > 2021 > February > VMWare Patches Critical RCE Flaw in vCenter Server
VMware has patched three vulnerabilities in its virtual-machine infrastructure for data centers, the most serious of which is a remote code execution flaw in its vCenter Server management platform.
The researcher found the most critical of the flaws, which is being tracked as CVE-2021-21972 and has a CVSS v3 score of 9.8, in a vCenter Server plugin for vROPs in the vSphere Client functionality, according to an advisory posted online Tuesday by VMware.
Klyuchnikov said the VMware flaw poses "No less threat" than a notoriously easy-to-exploit Citrix RCE vulnerability, CVE-2019-19781, which was discovered two years ago affecting more than 25,000 servers globally.
Another flaw patched by VMware in the update also has potential for remote code execution and affects the hypervisor VMware ESXi , the company said.
"The other flaw Klyuchnikov discovered-tracked as CVE-2021-21973 and the least serious of the three-is a Server Side Request Forgery vulnerability due to improper validation of URLs in a vCenter Server plugin with a CVSS score of 5.3, according to VMWare. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure," the company said.
Unauthorized users can use the flaw to send requests as the targeted server to help threat actors develop further attacks.
News URL
https://threatpost.com/vmware-patches-critical-rce-flaw-in-vcenter-server/164240/
Related news
- Critical Flaw in ProjectSend Under Active Exploitation Against Public-Facing Servers (source)
- Veeam warns of critical RCE bug in Service Provider Console (source)
- Exploit released for critical WhatsUp Gold RCE flaw, patch now (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
- Apache issues patches for critical Struts 2 RCE bug (source)
- New critical Apache Struts flaw exploited to find vulnerable servers (source)
- Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks (source)
- Critical RCE Flaw in GFI KerioControl Allows Remote Code Execution via CRLF Injection (source)
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-02-24 | CVE-2021-21972 | Path Traversal vulnerability in VMWare Cloud Foundation and Vcenter Server The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. | 9.8 |
| 2021-02-24 | CVE-2021-21973 | Server-Side Request Forgery (SSRF) vulnerability in VMWare Cloud Foundation and Vcenter Server The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. | 5.3 |
| 2019-12-27 | CVE-2019-19781 | Path Traversal vulnerability in Citrix products An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. | 9.8 |