Security News > 2021 > September > VMware patch bulletin warns: “This needs your immediate attention.”
Generally speaking, file upload vulnerabilities happen when an untrusted user is allowed to upload files of their own choosing.
Those untrusted files end up saved in a location where the server will subsequently treat them as trusted files instead, perhaps executing them as scripts or programs, or using them to reconfigure security settings on the server.
If server-side scripting is enabled, and the file is a script, then the server runs the script locally, and uses the output of the script as the web content to send back, thus turning the uploaded file into a vehicle for carrying out a remote code execution attack.
Obviously, being able to upload files that shouldn't be there is dangerous enough on its own, but when untrusted files can be uploaded by unauthenticated users, and the server will then execute those files, it's as though you just granted administrator access to anyone who wants it, with no password required.
If you can't or won't patch just yet, VMware has provided a temporary workaround that turns off the vulnerable code on affected VMware vCenter systems.
VMware has published various Python scripts that will make these changes for you, as well as giving full instructions for editing the file by hand.