Security News > 2022 > October > VMware vCenter Server bug disclosed last year still not patched
VMware informed customers today that vCenter Server 8.0 is still waiting for a patch to address a high-severity privilege escalation vulnerability disclosed in November 2021.
VMware says this flaw can only be exploited by attackers using a vector network adjacent to the targeted server as part of high-complexity attacks requiring low privileges and no user interaction.
"VMware has determined that vCenter 7.0u3f updates previously mentioned in the response matrix do not remediate CVE-2021-22048 and introduce a functional issue," VMware says in the advisory.
Even though patches are pending for all affected products, VMware provides a workaround allowing admins to remove the attack vector.
To block attack attempts, VMware advises admins to switch to Active Directory over LDAPs authentication OR Identity Provider Federation for AD FS from the impacted Integrated Windows Authentication.
"Active Directory over LDAP authentication is not impacted by this vulnerability. However, VMware strongly recommend that customers plan to move to another authentication method," the company explains.
News URL
Related news
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- VMware fixes critical vCenter Server RCE bug – again! (CVE-2024-38812) (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- Week in review: Fortinet patches critical FortiManager 0-day, VMware fixes vCenter Server RCE (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-11-10 | CVE-2021-22048 | Unspecified vulnerability in VMWare Cloud Foundation and Vcenter Server The vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism. | 8.8 |