VMware has disclosed a bug in its flagship vSphere and vCenter products. The company is urging customers to halt everything and patch it up. The virtualization giant also has a workaround in place.
The bug is one of the 19 disclosed by the company. The nastiest one is the CVE-2021-22005, which was described as an arbitrary file upload vulnerability in the Analytics service of the vCenter Server. The flaw has a rating of 9.8 out of 10 on the Common Vulnerability Scoring System.
VMware released an advisory saying that a threat actor with network access to port 443 on vCenter Server may exploit the issue.
Assume the worst and patch up
The attacker could execute code on vCenter Server by uploading an engineered file. As vCenter Server is VMware’s tool to manage fleets of virtual machines, a breach could be severely damaging.
The company has, in essence, admitted that users should assume the disclosure means ransomware attacks and other infections are inevitably on the way if users do not apply the patch immediately. In this era of ransomware, it is safest to assume that an attacker is already somewhere in your network.
They may even be controlling a user account, which is why Virtzilla’s blog post about the flaw recommends patching ASAP.
A patch and a workaround
Workarounds are temporary solutions that buy users time to patch so they are not sitting ducks in the interim. VMware said the workaround relies on changing vSphere in ways that it is not intended to change and may cause serious issues when errors occur.
Check your version number because vCenter Server 7.0 U2d, 6.7U3o, and 6.5 U3q are fixed. Cloud Foundation v4.3.1 and v3.10.2.2 also aren’t too urgent. vSphere 6.5, Cloud Foundation 3.x and 4.x, vCenter Server 6.7 and 7.0 need patching. Do it ASAP!