Security

VMware warns of critical remote code execution flaw in vSphere HTML5 client

If you don't patch, the hosts driving all your virty servers are at risk. So maybe your to-do list needs a tickle?


VMware has revealed a critical-rated bug in the HTML5 client for its flagship vSphere hybrid cloud suite.

"The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin," says VMware's notification. "A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server."

As vCenter Server is the tool that drives a fleet of virtual servers, this CVSS 9.8-rated bug (CVE-2021-21972) is nasty.

A fix, detailed here, is needed for vSphere versions prior to 7.0 U1c, 6.7 U3l, and 6.5 U3n. As those releases are all at least a few weeks old, users may already have addressed the issue. Users of Cloud Foundation 3.x and 4.x also need to get patching, pronto.

While you're patching that nasty, you may as well also knock off a second HTML client bug (CVE-2021-21973) that VMware says could allow "a malicious actor with network access to port 443" to "exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure."

The same versions of vSphere and Cloud Foundation mentioned above need fixing, with details and downloads to do so here.

Your work's not done once that's sorted because VMware has also fixed up an 8.8-rated flaw (CVE-2021-21974) in its ESXi hypervisor, where "a malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution."

Dying software forces changes to VMware’s vSphere Clients

READ MORE

OpenSLP is an open-source version of the IETF Service Location Protocol. Details of how to fix that little mess can be found here and demand your attention if you run vSphere 6.5 and up, or Cloud Foundation 3 or higher. VMware's recent update to its guidance on vSphere security recommended disabling OpenSLP if it's not in use. But that guidance only emerged two weeks ago.

VMware has tipped its hat to Mikhail Klyuchnikov of Positive Technologies for the vSphere client bugs and Lucas Leong of Trend Micro's Zero Day Initiative for the OpenSLP bug.

VMware's HTML5 client replaced a Flash-based tool because Virtzilla knew that Adobe's buggy mess was on death row. The HTML5 client oozed out over years, only achieving feature parity more than two years after initial release.

Today's bugs won't leave vAdmins pining for the good old days of Flash, but with a new UI for ESXi in the works, they'll need to remain vigilant. ®

Send us news
7 Comments

VMware urges emergency action to blunt hypervisor flaws

Critical vulns in USB under ESXi and desktop hypervisors found by Chinese researchers at cracking contest

VMware by Broadcom offers a lifeline to small cloud service providers

'White label' program also means retaining customers

Microsoft Copilot for Security prepares for April liftoff

Automated AI helper intended to make security more manageable

In the rush to build AI apps, please, please don't leave security behind

Supply-chain attacks are definitely possible and could lead to data theft, system hijacking, and more

Euro-cloud consortium CISPE calls for investigation of Broadcom

Claims members will be bankrupted by new VMware licensing regime, and vital services disrupted

March Patch Tuesday sees Hyper-V join the guest-host escape club

Critical bugs galore among 61 Microsoft fixes, 56 from Adobe, a dozen from SAP, and a fistful from Fortinet

Infosec teams must be allowed to fail, argues Gartner

But failing to recover from incidents is unforgivable because 'adrenalin does not scale'

Miscreants are exploiting enterprise tech zero days more and more, Google warns

Crooks know where the big bucks are

FreeBSD Foundation hands out Beacon gongs for safer software

Multiple CHERI-related projects win money for important research that prizes safety over speed

Row breaks out over true severity of two DNSSEC flaws

Some of us would be happy being rated 7.5 out of 10, just sayin'

SoftIron rolls its own server virt stack to join the 'let's get VMware' crowd

Banks on allowing BYO external storage to make migrations less painful

Truck-to-truck worm could infect – and disrupt – entire US commercial fleet

The device that makes it possible is required in all American big rigs, and has poor security