=====================================================================

                         CERT-Renater

              Note d'Information No. 2021/VULN619
_____________________________________________________________________

DATE                : 24/11/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running VMware vCenter Server versions
                              prior to 6.7 U3p, 6.5 U3r,
                     Cloud Foundation (vCenter Server) versions 3.x.

=====================================================================
https://www.vmware.com/security/advisories/VMSA-2021-0027.html
_____________________________________________________________________

Important


Advisory ID:      VMSA-2021-0027
CVSSv3 Range:     6.5-7.5
Issue Date:       2021-11-23
Updated On:       2021-11-23 (Initial Advisory)
CVE(s):           CVE-2021-21980, CVE-2021-22049


Synopsis:
VMware vCenter Server updates address arbitrary file read and SSRF
vulnerabilities (CVE-2021-21980, CVE-2021-22049)


1. Impacted Products

    VMware vCenter Server (vCenter Server)
    VMware Cloud Foundation (Cloud Foundation)

2. Introduction

Multiple vulnerabilities in VMware vCenter Server were privately
reported to VMware. Updates are available to remediate these
vulnerabilities in affected VMware products.

3a. vCenter Server updates address arbitrary file read vulnerability in
the vSphere Web Client (CVE-2021-21980)


Description

The vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary
file read vulnerability. VMware has evaluated the severity of this issue
to be in the Important severity range with a maximum CVSSv3 base score
of 7.5.

Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may
exploit this issue to gain access to sensitive information.

Resolution

To remediate CVE-2021-21980 apply the updates listed in the 'Fixed
Version' column of the 'Response Matrix' below to affected deployments.


Workarounds

None.


Additional Documentation

None.


Notes

vCenter Server vSphere Web Client (FLEX/Flash) is not available in
vCenter Server 7.x, therefore this issue is not applicable to vCenter
Server 7.x release line.


Acknowledgements

VMware would like to thank ch0wn of Orz lab for reporting this issue to
us.


Response Matrix:

Product     Version     Running On     CVE Identifier     CVSSv3    
Severity     Fixed Version     Workarounds     Additional Documentation

vCenter Server   7.0    Any    CVE-2021-21980    N/A    N/A Unaffected    N/A     N/A

vCenter Server   6.7    Any    CVE-2021-21980    7.5    important
6.7 U3p         None    None

vCenter Server   6.5    Any    CVE-2021-21980    7.5    important
6.5 U3r         None    None


Impacted Product Suites that Deploy Response Matrix 3a Components:

Product     Version     Running On     CVE Identifier     CVSSv3    
Severity     Fixed Version     Workarounds     Additional Documentation

Cloud Foundation (vCenter Server)    4.x    Any    CVE-2021-21980    N/A
N/A       Unaffected      N/A      N/A

Cloud Foundation (vCenter Server)    3.x    Any    CVE-2021-21980    7.5
important    Patch Pending    None     None

3b. vCenter Server updates address SSRF vulnerability in the vSphere Web
Client (CVE-2021-22049)

Description

The vSphere Web Client (FLEX/Flash) contains an SSRF (Server Side
Request Forgery) vulnerability in the vSAN Web Client (vSAN UI) plug-in.
VMware has evaluated the severity of this issue to be in the Moderate
severity range with a maximum CVSSv3 base score of 6.5.


Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may
exploit this issue by accessing a URL request outside of vCenter Server
or accessing an internal service.

Resolution

To remediate CVE-2021-22049 apply the updates listed in the 'Fixed
Version' column of the 'Response Matrix' below to affected deployments.


Workarounds

None.


Additional Documentation

None.


Notes

vCenter Server vSphere Web Client (FLEX/Flash) is not available in
vCenter Server 7.x, therefore this issue is not applicable to vCenter
Server 7.x release line.


Acknowledgements

VMware would like to thank magiczero from SGLAB of Legendsec at Qi'anxin
Group for reporting this issue to us.

Response Matrix:

Product     Version     Running On     CVE Identifier     CVSSv3    
Severity     Fixed Version     Workarounds     Additional Documentation

vCenter Server    7.0    Any    CVE-2021-22049    N/A     N/A
Unaffected     N/A      N/A

vCenter Server    6.7    Any    CVE-2021-22049    6.5     moderate
6.7 U3p     None     None

vCenter Server    6.5    Any    CVE-2021-22049    6.5     moderate
6.5 U3r     None     None


Impacted Product Suites that Deploy Response Matrix 3b Components:

Product     Version     Running On     CVE Identifier     CVSSv3    
Severity     Fixed Version     Workarounds     Additional Documentation

Cloud Foundation (vCenter Server)    4.x    Any    CVE-2021-22049
N/A     N/A     Unaffected     N/A     N/A

Cloud Foundation (vCenter Server)    3.x    Any    CVE-2021-22049
6.5     moderate     Patch Pending    None    None


4. References

Fixed Version(s) and Release Notes:


vCenter Server 6.7 U3p
Downloads and Documentation:
https://customerconnect.vmware.com/en/downloads/details?downloadGroup=VC67U3P&productId=742&rPId=78421
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3p-release-notes.html


vCenter Server 6.5 U3r
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC65U3R&productId=614&rPId=74057
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u3r-release-notes.html


Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21980
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22049


FIRST CVSSv3 Calculator:
CVE-2021-21980: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2021-22049: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L


5. Change Log

2021-11-23 VMSA-2021-0027
Initial security advisory.


6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce


This Security Advisory is posted to the following lists:

security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org


E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055


VMware Security Advisories
https://www.vmware.com/security/advisories


VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html


VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html


VMware Security & Compliance Blog
https://blogs.vmware.com/security


Twitter
https://twitter.com/VMwareSRC



Copyright 2021 VMware Inc. All rights reserved.


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================