Multiple High-Risk Vulnerabilities in VMware Products

Published on 24 Feb 2021

Updated on 14 Apr 2021

VMware has released security updates to address several vulnerabilities in VMware vCenter Server and VMware ESXi. These vulnerabilities, which are present in all default installations, are:

  • CVE-2021-21972: a remote code execution vulnerability in a vCenter Server plugin that allows an attacker with network access to port 443 to execute commands with unrestricted privileges on the affected systems. This vulnerability has a CVSSv3 base score of 9.8.
  • CVE-2021-21974: a heap-overflow vulnerability in OpenSLP used within ESXi that allows an attacker residing within the same network segment who has access to port 427 to perform remote code execution. This vulnerability has a CVSSv3 base score of 8.8.

The vulnerabilities affect the following product versions:

  • VMware vCenter Server version 7.0, 6.7 and 6.5
  • VMware ESXi version 7.0, 6.7 and 6.5

 

Users and administrators of the affected versions are advised to upgrade to the latest product versions immediately.

 

More information is available here:

https://www.vmware.com/security/advisories/VMSA-2021-0002.html