VMware has released a patch for issues that exist within the vCenter Server. The two bugs are CVE-2021-21985 and CVE-2021-21986, the former being a critically severe vulnerability with a 9.8 rating on the Common Vulnerability Scoring System (CVSS). CVE-2021-21985 is defined as a remote code execution vulnerability that can be easily exploited.
In the threat notice, VMware states the following about CVE-2021-21985:
The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server... A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
While there are workarounds, VMware highly recommends patching the vCenter Server as soon as possible to fix this issue.
In the case of the second patch for CVE-2021-21986, the issue relates to the vCenter Server plug-in framework. According to a blog post covering the recent patches, VMware states that they implemented the patch to “better enforce plugin authentication.”
There is a possibility that this patch will affect plug-ins. VMware explains this issue as follows:
This affects some VMware plug-ins, and may also cause some third-party plug-ins to stop working. VMware partners have been notified and are working to test their plug-ins (most continue to work), but there may be a period after updating when a virtualization admin team may need to access backup, storage, or other systems through their respective management interfaces and not through the vSphere Client UI. If a third-party plug-in in your environment is affected, please contact the vendor that supplied it for an update.
All in all, these patches are essential and should not be put off. If you must ignore a patch, the CVE-2021-21986 plug-in framework patch can probably be put off for a little bit. In the case of CVE-2021-21985, you should not delay. This is an insanely dangerous vulnerability and should be closed as soon as possible.
Featured image: Shutterstock