How to check for VMware vulnerabilities: CVE-2021-21985 and CVE-2021-21986

Brock Bingham candid headshot
Brock Bingham|Updated June 1, 2021
VMware Vulnerability With A Severity Rating of 9.8 Out Of 10 Disclosed
VMware Vulnerability With A Severity Rating of 9.8 Out Of 10 Disclosed

Have you ever heard of VMware? You'd be forgiven if you hadn't. It only has about 400,000 customers, including 100% of today’s Fortune 500 companies (cue Will Ferrell saying, "I'm kind of a big deal.")  In fact, I'd be willing to bet that, since you're here reading this article, you most likely utilize VMware in your organization. If that's the case, you probably have some emergency patching to do.

The threat

On Tuesday, May 25th, VMware disclosed a security vulnerability affecting its very popular vCenter Server Management Solution and VMware Cloud Foundation. vCenter Server provides a centralized platform for controlling VMware vSphere environments and is utilized extensively in larger organizations and data centers.

The vulnerability, tracked as CVE-2021-21985 and CVE-2021-21986, is rated a 9.8 out of 10 on the severity scale, which is about as critical as it gets. The vulnerability resides in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server.  Here is the description provided by VMware:

"The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8."

VMware provided further details about the attack vector, explaining that:

"A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server." 

Because this threat lives on the virtualization layer, successfully exploiting the vulnerability would provide attackers with immense control over environments.

The affected versions of vCenter Server are versions 6.5, 6.7, and 7.0. Considering that version 6.0 reached end of life in March of 2020, it's safe to say that all currently supported versions of vCenter Server are affected by this vulnerability.

The solution

As you can imagine, a massive organization like VMware takes threats like this very seriously. As a result, VMware has provided several updates that became available at the same time the vulnerability was disclosed. A workaround is also available if immediate patching is not an option. Here are the relevant links to version updates as well as their documentation (keep in mind that you may need to be logged in to My VMware in order to access the downloads):

vCenter Server 7.0 U2b

Downloads and documentation:

vCenter Server 6.7 U3n

vCenter Server 6.5 U3p

Downloads and Documentation:

VMware vCloud Foundation 4.2.1

Downloads and documentation:

VMware vCloud Foundation 3.10.2.1

Downloads and documentation:

Alternative workaround

If immediate patching is not an option, then VMware recommends disabling the affected plugins until the patches can be deployed. Be aware that disabling these plugins is considered a temporary solution and will disable the functionality of the plugins. To disable the plugins, you must mark the plugins as incompatible in the compatibility-matrix.xml file. Changing these settings within the user interface does not prevent exploitation. 

  • Here are the plugins and XML lines that need to be added to the compatibility-matix.xml file:<PluginPackage id="com.vmware.vrops.install" status="incompatible"/>

  • <PluginPackage id="com.vmware.vsphere.client.h5vsan" status="incompatible"/>

  • <PluginPackage id="com.vmware.vrUi" status="incompatible"/>

  • <PluginPackage id="com.vmware.vum.client" status="incompatible"/>

  • <PluginPackage id="com.vmware.h4.vsphere.client" status="incompatible"/>

More information about this workaround can be found here.

 Two critical vulnerabilities down with more to come

This is the second vCenter vulnerability this year to have a severity rating of 9.8. This vulnerability, along with the plethora of Chrome, Adobe, and Microsoft vulnerabilities that have recently been discovered, ensures that sysadmins worldwide have their work cut out for them. All I can say is, keep up the good fight. Maybe one day we'll live in a world where vulnerabilities are a thing of the past,but I wouldn't hold your breath.

Brock Bingham candid headshot
Brock Bingham

Born in the '80s and raised by his NES, Brock quickly fell in love with everything tech. With over 15 years of IT experience, Brock now enjoys the life of luxury as a renowned tech blogger and receiver of many Dundie Awards. In his free time, Brock enjoys adventuring with his wife, kids, and dogs, while dreaming of retirement.

Related articles