CVE-2021-21972, CVE-2021-21974: VMware vCenter Server and ESXI Vulnerabilities Alert

On February 23, 2021, VMware had released risk notices for the vCenter Server and ESXi. VMware fixed two high-risk vulnerabilities in ESXi and vSphere Client (HTML5). Malicious attackers with access to network ports can execute arbitrary code through the vulnerabilities.

CVE-2021-21972

Vulnerability Detail

CVE-2021-21972: remote code execution vulnerability in the vSphere Client

A malicious attacker with access to port 443 can send a carefully constructed request to vCenter Server, which will eventually cause remote arbitrary code execution.

CVE-2021-21974: ESXi OpenSLP heap-overflow vulnerability

A malicious attacker who is on the same network segment as ESXI and has access to port 427 can construct a malicious request packet to trigger a heap overflow vulnerability in the OpenSLP service and ultimately cause remote code execution.

Affected version

  • VMware ESXi: 7.0/6.7/6.5
  • VMware vCenter Server: 7.0/6.7/6.5

Unaffected version

  • VMware vCenter Server: 7.0.U1c/6.7.U3l/6.5 U3n
  • VMware ESXi: ESXi70U1c-17325551/ESXi670-202102401-SG/ESXi650-202102101-SG

Solution

In this regard, we recommend that users upgrade vCenter Server and ESXi products to the latest version in time.