Skip to main content
VMware Releases Security Update for vCenter Server and Cloud Foundation

Security update for vCenter Server and Cloud Foundation

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

Security update for vCenter Server and Cloud Foundation


Affected platforms

The following platforms are known to be affected:

Threat details

Introduction

VMware has released important security updates to address two vulnerabilities in the vSphere Web Client (FLEX/Flash) portion of vCenter Server. CVE-2021-21980 is an arbitrary file read vulnerability in the vSphere Web Client and CVE-2021-22049 contains an SSRF (Server Side Request Forgery) vulnerability in the vSAN Web Client (vSAN UI) plug-in. An attacker with access to port 443 on vCenter Server could gain access to sensitive information or take control of a system.

The vCenter Server 7.x and Cloud Foundation 4.x release lines are not affected by these vulnerabilities as they do not use the vCenter Server vSphere Web Client (FLEX/Flash).


Remediation advice

Affected organisations are encouraged to review VMware Security Advisory VMSA-2021-0027 and apply any relevant updates.



Last edited: 24 November 2021 2:04 pm