VMware has revealed a critical-rated bug in the HTML5 client for its flagship vSphere hybrid cloud suite.
“The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin,” says VMware’s notification. “A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.”
As vCenter Server is the tool that drives a fleet of virtual servers, this CVSS 9.8-rated bug (CVE-2021-21972) is nasty.
A fix, detailed here, is needed for vSphere versions prior to 7.0 U1c, 6.7 U3l, and 6.5 U3n. As those releases are all at least a few weeks old, users may already have addressed the issue. ..
Support the originator by clicking the read the rest link below.
