Multiple vulnerabilities in the vSphere Client (HTML5) were privately reported to VMware. Updates and workarounds are available to address these vulnerabilities in affected VMware products.
The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
The following systems/applications are affected:
- vCenter Server 7.0
- vCenter Server 6.7
- vCenter Server 6.5
- Cloud Foundation (vCenter Server) 4.x
- Cloud Foundation (vCenter Server) 3.x
VMware have release a security updates to address vulnerabilities in VMware vCenter Server and VMware ESX. For more details, please refer to:
https://www.vmware.com/security/advisories/VMSA-2021-0010.html
Matsco Solutions are currently testing the fix to ensure there are no issues with it and will be reach out to clients running the affected VMware products to schedule updates to their environments.
Please contact the Matsco Solutions team on the below if you would like any further information or would like to schedule a maintenance.
support@matscosolutions.com
Beijing +86 400 120 2782
Hong Kong +852 8101 8418
London +44 (0)20 7821 4950
New York +1 866 446 9226
Singapore +65 6100 1090
Share this Post