VMware warns of critical remote code execution flaw in vSphere HTML5 client

VMware warns of critical remote code execution flaw in vSphere HTML5 client

VMware has revealed a critical-rated bug in the HTML5 client for its flagship vSphere hybrid cloud suite.


“The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin,” says VMware’s notification. “A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.”

As vCenter Server is the tool that drives a fleet of virtual servers, this CVSS 9.8-rated bug (CVE-2021-21972) is nasty.


A fix, detailed here, is needed for vSphere versions prior to 7.0 U1c, 6.7 U3l, and 6.5 U3n. As those releases are all at least a few weeks old, users may already have addressed the issue. Users of Cloud Foundation 3.x and 4.x also need to get patching, pronto.

While you’re patching that nasty, you may as well also knock off a second HTML client bug (CVE-2021-21973) that VMware says could allow: “A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure.”


The same versions of vSphere and Cloud Foundation mentioned above need fixing, with details and downloads to do so on offer here.


Your work’s not done once that’s sorted because VMware has also fixed up an 8.8-rated flaw (CVE-2021-21974) in its ESXi hypervisor that means: “A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overf ..