Security News > 2022 > July > VMware patches vCenter Server flaw disclosed in November
Eight months after disclosing a high-severity privilege escalation flaw in vCenter Server's IWA mechanism, VMware has finally released a patch for one of the affected versions.
Successful exploitation enables attackers with non-administrative access to unpatched vCenter Server deployments to elevate privileges to a higher privileged group.
While CVE-2021-22048 affects multiple vCenter Server versions, the company released vCenter Server 7.0 Update 3f today, a security update that only addresses the vulnerability for servers running the latest available release.
Luckily, although patches are pending for the other affected versions, VMware has provided a workaround to remove the attack vector since the security advisory was first published eight months ago, on November 10th, 2021.
To block attack attempts, VMware advises admins in a separate knowledgebase article to switch to Active Directory over LDAPs authentication OR Identity Provider Federation for AD FS from the affected Integrated Windows Authentication.
VMware provides detailed instructions on switching to Active Directory over LDAPs and on switching to Identity Provider Federation for AD FS..
News URL
Related news
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- VMware fixes critical vCenter Server RCE bug – again! (CVE-2024-38812) (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- Week in review: Fortinet patches critical FortiManager 0-day, VMware fixes vCenter Server RCE (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-11-10 | CVE-2021-22048 | Unspecified vulnerability in VMWare Cloud Foundation and Vcenter Server The vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism. | 8.8 |