Security News > 2021 > September > Break out your emergency change process and patch this ransomware-friendly bug ASAP, says VMware

Break out your emergency change process and patch this ransomware-friendly bug ASAP, says VMware
2021-09-22 00:45

VMware has disclosed a critical bug in its flagship vSphere and vCenter products and urged users to drop everything and patch it.

The worst of the bunch is CVE-2021-22005, described as "An arbitrary file upload vulnerability in the Analytics service" that's part of vCenter Server.

"A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file," states VMware's advisory.

As vCenter Server is VMware's tool to manage fleets of virtual machines, the potential for mayhem is considerable.

For now, there's no debate: if you run vCenter Server or VMware Cloud Foundation, you have two jobs.

Cloud Foundation 3.x and 4.x, vCenter Server 6.7 and 7.0, all need patches, ASAP. That's your second job.


News URL

https://go.theregister.com/feed/www.theregister.com/2021/09/22/vmware_emergency_vcenter_patch_recommendation/

Related news

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-09-23 CVE-2021-22005 Path Traversal vulnerability in VMWare Cloud Foundation and Vcenter Server
The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service.
network
low complexity
vmware CWE-22
critical
 9.8
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Vmware 146 11 222 256 102 591