This advisory is provided as a courtesy.
We would like to bring to your attention a newly discovered critical vulnerability affecting VMware vCenter Server, which is a popular centralized tool to manage multiple VMware vSphere Hypervisor and ESXi host servers. This vulnerability affects all latest versions of vCenter Server (6.5, 6.7, and 7.0) and has been rated 9.8 out of 10, which is very critical. If you are using vCenter Server to manage your VMware hypervisor servers, you are strongly advised to take action immediately.
This critical vulnerability is caused by a lack of input validation within the Virtual SAN (vSAN) Health Check plug-in, which is enabled by default. This vulnerability exists even when vSAN is not being used. A malicious hacker may exploit the issue by accessing vCenter Server through port 443.
Affected Software
VMWare vCenter Server version 6.5, 6.7, and 7.0
How to Fix the Problem
Download the latest vCenter Server patch from VMWare portal and install the patch on your vCenter Server immediately.
vCenter Server 7.0 - 7.0 U2b
vCenter Server 6.7 - 6.7 U3n
vCenter Server 6.5 - 6.5 U3p
If patching your vCenter Server is not possible, you may also perform some workaround outlined on VMware advisory (see under "More Information" below).
More information
VMWare Advisory: VMSA-2021-0010
VMWare Blog Post: MSA-2021-0010: What You Need to Know
CVE-2021-21985: Critical VMware vCenter Server Remote Code Execution
Patch immediately: VMware warns of critical remote code execution hole in vCenter
Request Assistance
If you are running vCenter Server on your VMware setup and need our assistance to patch it up, we can perform the patch installation for you at a one-time discounted fee of $30. Please submit your order at Order -> Additional Services -> Vulnerability Fix - WINDOWS: HTTP.sys; Schannel; Freak Attack, WannaCry, Petya (Win), VMWare vCenter Server - $30
Or please first open a support ticket and give us the detail of your VMware deployment and setup.
Thank you.
??
English
Bahasa Indonesia
???
Espanol