‘Important’ severity flaws both reside in the vSphere Web Client

VMware addresses SSRF, arbitrary file read flaws in vCenter Server

VMware has released security updates for vCenter Server after fixing arbitrary file read and server-side request forgery (SSRF) vulnerabilities in the vSphere Web Client (FLEX/Flash).

Enterprises running vulnerable instances of the server management platform have been advised to apply relevant updates by a VMWare security advisory issued yesterday (November 23), as well by the US Cybersecurity and Infrastructure Security Agency (CISA) today (November 24).

Both flaws were designated as ‘important’ in terms of severity.


Read more of the latest enterprise security news


With a CVSS rating of 7.5, the most severe is the arbitrary file read bug (CVE-2021-21980), abuse of which could potentially enable a malicious actor to gain access to sensitive information.

The SSRF vulnerability (CVE-2021-22049), which has a CVSS of 6.5, was more specifically found in the vSAN Web Client (vSAN UI) plugin.

An attacker could exploit this flaw by accessing an internal service or URL request outside of vCenter Server.

Security updates

VMware has released security updates that address both flaws for vCenter Server versions 6.5 and 6.7.

The 7.x release line, which cannot use vSphere Web Client (FLEX/Flash), is unaffected by the flaws.


RECOMMENDED Research has come a long way, but gaps remain – security researcher Artur Janc on the state of XS-Leaks


Patches for both bugs are pending for Cloud Foundation’s 3.x release line, while 4.x is unaffected.

VMware thanked ‘ch0wn’ of Orz lab for reporting the arbitrary file read issue and ‘magiczero’ from the QI-ANXIN Group for reporting the SSRF.

Prime target

Of the five server virtualization products with the biggest market share, three are VMware platforms, with vSphere the market leader and vCenter Server ranking fifth, according to Statista.

Together with many enterprises’ slowness to apply updates, VMware’s dominance of the server virtualization market has made its products in this arena prime targets for sophisticated attackers.

In September, The Daily Swig reported on the active exploitation of another, critical arbitrary file upload flaw in vCenter Server.

And in June it emerged that thousands of vCenter Server instances remained unpatched for a pair of critical flaws in vSphere Client (HTML5) three weeks after their disclosure.

Earlier, in February, The Daily Swig reported that an even greater number of vCenter installations were potentially at risk as attackers probed systems for the presence of a critical RCE bug.


YOU MIGHT ALSO LIKE Researcher finds SSRF bug in internal Google Cloud project, nabs $10,000 bounty