Security News > 2022 > July > VMware patches vCenter Server flaw disclosed in November
Eight months after disclosing a high-severity privilege escalation flaw in vCenter Server's IWA mechanism, VMware has finally released a patch for one of the affected versions.
Successful exploitation enables attackers with non-administrative access to unpatched vCenter Server deployments to elevate privileges to a higher privileged group.
While CVE-2021-22048 affects multiple vCenter Server versions, the company released vCenter Server 7.0 Update 3f today, a security update that only addresses the vulnerability for servers running the latest available release.
Luckily, although patches are pending for the other affected versions, VMware has provided a workaround to remove the attack vector since the security advisory was first published eight months ago, on November 10th, 2021.
To block attack attempts, VMware advises admins in a separate knowledgebase article to switch to Active Directory over LDAPs authentication OR Identity Provider Federation for AD FS from the affected Integrated Windows Authentication.
VMware provides detailed instructions on switching to Active Directory over LDAPs and on switching to Identity Provider Federation for AD FS..
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-11-10 | CVE-2021-22048 | Unspecified vulnerability in VMWare Cloud Foundation and Vcenter Server The vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism. | 8.8 |