VMware’s latest security update includes patches for 19 different CVE-numbered vulnerabilities affecting the company’s vCenter Server and Cloud Foundation products.
All of the bugs can be considered serious – they wouldn’t be enumerated in an official security advisory if they weren’t – but VMware has identified one of them, dubbed CVE-2021-22005, as more critical than the rest.
Indeed, VMware’s official FAQ for Security Advisory VMSA-2021-0020 urges that:
The ramifications of this vulnerability are serious and it is a matter of time – likely minutes after the disclosure – before working exploits are publicly available.
In particular, the company explains:
The most urgent [patch] addresses CVE-2021-22005, a file upload vulnerability that can be used to execute commands and software on the vCenter Server Appliance. This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server.
VMware unabashedly says that “this needs your immediate attention,”, and we think it’s a good thing to see a software vendor talking about cybersecurity response in plain English instead of mincing its words.
VMware vSphere and Virtual Infrastructure Security
