VMware has revealed a critical-rated bug in the HTML5 client for its flagship vSphere hybrid cloud suite.
"The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin," says VMware's notification. "A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server."
As vCenter Server is the tool that drives a fleet of virtual servers, this CVSS 9.8-rated bug (CVE-2021-21972) is nasty.
A fix, detailed here, is needed for vSphere versions prior to 7.0 U1c, 6.7 U3l, and 6.5 U3n. As those releases are all at least a few weeks old, users may already have addressed the issue. Users of Cloud Foundation 3.x and 4.x also need to get patching, pronto.
While you're patching that nasty, you may as well also knock off a second HTML client bug (CVE-2021-21973) that VMware says could allow "a malicious actor with network access to port 443" to "exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure."
The same versions of vSphere and Cloud Foundation mentioned above need fixing, with details and downloads to do so here.
Your work's not done once that's sorted because VMware has also fixed up an 8.8-rated flaw (CVE-2021-21974) in its ESXi hypervisor, where "a malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution."
Dying software forces changes to VMware’s vSphere ClientsREAD MORE
OpenSLP is an open-source version of the IETF Service Location Protocol. Details of how to fix that little mess can be found here and demand your attention if you run vSphere 6.5 and up, or Cloud Foundation 3 or higher. VMware's recent update to its guidance on vSphere security recommended disabling OpenSLP if it's not in use. But that guidance only emerged two weeks ago.
VMware has tipped its hat to Mikhail Klyuchnikov of Positive Technologies for the vSphere client bugs and Lucas Leong of Trend Micro's Zero Day Initiative for the OpenSLP bug.
VMware's HTML5 client replaced a Flash-based tool because Virtzilla knew that Adobe's buggy mess was on death row. The HTML5 client oozed out over years, only achieving feature parity more than two years after initial release.
Today's bugs won't leave vAdmins pining for the good old days of Flash, but with a new UI for ESXi in the works, they'll need to remain vigilant. ®