CVE-2021-21972

Name of the Vulnerable Software and Affected Versions VMware vCenter Server versions 6.5 before 6.5 U3n VMware vCenter Server versions 6.7 before 6.7 U3l VMware vCenter Server versions 7.x before 7.0 U1c VMware Cloud Foundation versions 3.x before 3.10.1.2 VMware Cloud Foundation versions 4.x before 4.2

Description The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This vulnerability is related to insufficient input validation.

Recommendations For VMware vCenter Server version 6.5, update to version 6.5 U3n or later. For VMware vCenter Server version 6.7, update to version 6.7 U3l or later. For VMware vCenter Server version 7.x, update to version 7.0 U1c or later. For VMware Cloud Foundation version 3.x, update to version 3.10.1.2 or later. For VMware Cloud Foundation version 4.x, update to version 4.2 or later. As a temporary workaround, consider restricting access to the vSphere Client (HTML5) until a patch is available.