CVE-2021-21972, CVE-2021-21974: VMware vCenter Server and ESXI Vulnerabilities Alert
On February 23, 2021, VMware had released risk notices for the vCenter Server and ESXi. VMware fixed two high-risk vulnerabilities in ESXi and vSphere Client (HTML5). Malicious attackers with access to network ports can execute arbitrary code through the vulnerabilities.
Vulnerability Detail
CVE-2021-21972: remote code execution vulnerability in the vSphere Client
A malicious attacker with access to port 443 can send a carefully constructed request to vCenter Server, which will eventually cause remote arbitrary code execution.
CVE-2021-21974: ESXi OpenSLP heap-overflow vulnerability
A malicious attacker who is on the same network segment as ESXI and has access to port 427 can construct a malicious request packet to trigger a heap overflow vulnerability in the OpenSLP service and ultimately cause remote code execution.
Affected version
- VMware ESXi: 7.0/6.7/6.5
- VMware vCenter Server: 7.0/6.7/6.5
Unaffected version
- VMware vCenter Server: 7.0.U1c/6.7.U3l/6.5 U3n
- VMware ESXi: ESXi70U1c-17325551/ESXi670-202102401-SG/ESXi650-202102101-SG
Solution
In this regard, we recommend that users upgrade vCenter Server and ESXi products to the latest version in time.
