VMware Warns of Critical Content Upload Vulnerability Affecting vCenter Server – The Hacker News

VMware on Tuesday published a new bulletin warning of as many as 19 vulnerabilities in vCenter Server and Cloud Foundation appliances that a remote attacker could exploit to take control of an affected system.

The most urgent among them is an arbitrary file upload vulnerability in the Analytics service (CVE-2021-22005) that impacts vCenter Server 6.7 and 7.0 deployments. “A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file,” the company noted , adding “this vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server.”

Although VMware has published workarounds for the flaw, the company cautioned that they are “meant to be a temporary solution until updates […] can be deployed.”

The complete list of flaws patched by the virtualization services provider is as follows —

  • CVE-2021-22005 (CVSS score: 9.8) – vCenter Server file upload vulnerability
  • CVE-2021-21991 (CVSS score: 8.8) – vCenter Server local privilege escalation vulnerability
  • CVE-2021-22006 (CVSS score: 8.3) – vCenter Server reverse proxy bypass vulnerability
  • CVE-2021-22011 (CVSS score: 8.1) – vCenter server unauthenticated API endpoint vulnerability
  • CVE-2021-22015 (CVSS score: 7.8) – vCenter Server improper permission local privilege escalation vulnerabilities
  • CVE-2021-22012 (CVSS score: 7.5) – vCenter Server unauthenticated API information disclosure vulnerability
  • CVE-2021-22013 (CVSS score: 7.5) – vCenter Server file path traversal vulnerability
  • CVE-2021-22016 (CVSS score: 7.5) – vCenter Server reflected XSS vulnerability
  • CVE-2021-22017 (CVSS score: 7.3) – vCenter Server rhttpproxy bypass vulnerability
  • CVE-2021-22014 (CVSS score: 7.2) – vCenter Server authenticated code execution vulnerability
  • CVE-2021-22018 (CVSS score: 6.5) – vCenter Server file deletion vulnerability
  • CVE-2021-21992 (CVSS score: 6.5) – vCenter Server XML parsing denial-of-service vulnerability
  • CVE-2021-22007 (CVSS score: 5.5) – vCenter Server local information disclosure vulnerability
  • CVE-2021-22019 (CVSS score: 5.3) – vCenter Server denial of service vulnerability
  • CVE-2021-22009 (CVSS score: 5.3) – vCenter Server VAPI multiple denial of service vulnerabilities
  • CVE-2021-22010 (CVSS score: 5.3) – vCenter Server VPXD denial of service vulnerability
  • CVE-2021-22008 (CVSS score: 5.3) – vCenter Server information disclosure vulnerability
  • CVE-2021-22020 (CVSS score: 5.0) – vCenter Server Analytics service denial-of-service vulnerability
  • CVE-2021-21993 (CVSS score: 4.3) – vCenter Server SSRF vulnerability

Credited with reporting most of the flaws are George Noseevich and Sergey Gerasimov of SolidLab LLC, alongside Hynek Petrak of Schneider Electric, Yuval Lazar of Pentera, and Osama Alaa of Malcrove.

“The ramifications of [CVE-2021-22005] are serious and is a matter of time – prospective minutes after the disclosure : before working exploits are actually publicly available, ” VMware said in an FAQ advocating customers to immediately renew their vCenter installations.

“With the real danger of ransomware looming at present the safest stance is always assume that an attacker could already have control of a [desktop] and a user account by employing techniques like phishing or possibly spear-phishing, and act hereat. This means the attacker would probably already be able to reach vCenter Server from inside a corporate fire wall, and time is of a number of, ” the company added.

Source of this news: https://thehackernews.com/2021/09/vmware-warns-of-critical-file-upload.html

Related posts:

'ProxyToken' Flaw Heightens Concerns All over Security of Microsoft Exchange Web server - Dark Readi...
A new Microsoft Exchange Internet protokol vulnerability disclosed this week by  security researchers from Trends Micro's Zero Day Effort (ZDI) has exacerbated anxieties about the technology...
A pre‐systematic review on the use of masks as a protection material for SARS‐COV‐2 during the COVID...
PubMed 16 To evaluate the effectiveness of protective equipment (UK)12 Effectiveness of protective equipment 1 volunteer (healthy) Three tests: Hat, goggles, mask and gown (Test 1); Hat, gogg...
Finish off Self-Hosted Bitwarden for Raspberry Pi | by mister. smashy | CodeX | Nov, 2021 - In the m...
Self organizing a modern password manager with MFA, backups, DDNS, per certificate, and enhanced protection . Password managers are a wonderful idea. I’ve used a trustworthy ...
Borat Expands RAT Capabilities and even Infosecurity Magazine
Cybersecurity researchers realize a new Remote Access Trojan malware (RAT) which allows threat famous actors to launch ransomware & DDoS attacks. Named Borat after that comic creation of ...
Fix OneDrive stuck on Processing Changes - TWCN Tech News
OneDrive is a cloud service from Microsoft. You can use OneDrive to store your files on cloud storage and save the disk space on your system. Besides storing the files, you can also share your files ...
A flexible proxy utility- Local HTTP/HTTPS/SOCKS proxy server - Multiple proxy protocol support- Built-in DNS server supports DoH/DoT upstream and fake IP.- Rules based off domains, GEOIP, IPCIDR or ...
How to Fix 'Microsoft Store Not Downloading Apps or Games' Issue - BollyInside
This tutorial is about the How to Fix ‘Microsoft Store Not Downloading Apps or Games’ Issue. We will try our best so that you understand this guide. I hope you like this blog How to Fix ‘Microso...
Be pressent Microsoft's new Bug Attack and win rewards 1st WindowsReport. com
by Alexandru Poloboc News Editor With an overpowering decision to always get to the bottom involving things and uncover the fact remains, Alex spent most of the puppy's time working ...
How To Block Twitch Ads: WORKING (2022) - WhatIfGaming
Ads are a core part of any free-streaming service. Everyone has to make money in some way, right? But the annoying part of Twitch is that you have no way to skip ads. You can buy Twitch subs, but it ...
New SideWalk Backdoor Targets U.S-based Computer Retail Business - The Hacker News
A computer retail company based in the U.S. was the target of a previously undiscovered implant called SideWalk as part of a recent campaign undertaken by a Chinese advanced persistent threat group p...
Points Reasons Why Your Company Should Use Proxy Servers – Occasions when Square Chronicles - Occasi...
More often than not, many people find it difficult to be familiar with use of proxy servers learn company. As a result, they stay away from them as they consider regarding an unnecessary ...
Twitter Announces First Quarter 2022 Results - Benzinga - Benzinga
SAN FRANCISCO, April 28, 2022 /PRNewswire/ -- Twitter, Inc. TWTR today announced financial results for its first quarter 2022.First Quarter 2022 Operational and Financial Highlights Except as ot...
Why Should You Use Residential Proxies? - TheNationRoar
Source: wonderfulengineering.com Proxies are widely used in today’s business matters that are carried out online. The main question to ask is not why that is the case but rather why you are not using...
iOS 15: Here are the new privacy and security upgrades you'll get - Tom's Guide
Apple has tossed a lot of privacy and security upgrades into iOS 15, including on-device speech recognition, a code generator for two-factor authentication and an email feature that masks your networ...
Proxy Servers and Their Benefits for Business - Tech Gaming Report
In its infancy, one of the main attractions of the internet and the world wide web was the privacy of its users. The caricature with the caption: “On the Internet, nobody knows you’re a dog”, dra...
Kinefinity MAVO Edge 6K Review - Newsshooter
Share this article The Kinefinity MAVO Edge 6K is the second camera in Kinefinity’s new line-up and it joins the previously announced MAVO Edge 8K. I have previously reviewed the MAVO LF on the...
Metabolic differentiation and intercellular nurturing underpin bacterial endospore formation - Scien...
Experimental methodsStrain construction. All the strains used in this study are derivatives of B. subtilis PY79. A complete list of strains is provided in table S2. The plasmids and oligonucleotides ...
SSH Host Based Authentication - Security Boulevard
IntroductionAre you an organization that manages or hosts a huge pool of resources on remote locations/servers? Well, host-based authority-validation technique is the most-suited way to manage the a...

IP Rotating Proxy Onsale


First month free with coupon code FREE30