DIVD-2021-00036 - VMware vCenter Server arbitrary file read vulnerability
| Our reference | DIVD-2021-00036 |
| Case lead | Matthijs Koot |
| Author | Lennaert Oudshoorn |
| Researcher(s) | |
| CVE(s) | |
| Product | VMware vCenter Server, Cloud Foundation(vCenter Server) |
| Versions | vCenter Server 6.5 and 6.7, Cloud Foundation (vCenter Server) 3.x |
| Recommendation | Upgrade VMware vCenter Server and VMware Cloud Foundation to the latest version |
| Patch status | Full patched |
| Status | Closed |
| Last modified | 12 Aug 2022 11:21 CEST |
Summary
VMware has release security updates for vCenter Server, addressing a arbitrary file read vulnerability. Companies using this software have been advised to update by a security advisory from VMware on November 23rd. The bug known as {CVE-2021-21980} has a CVSS severity score of 7.5, abuse could lead to an attacker gaining access to sensitive information.
What you can do
If you run VMware vCenter Server with version 6.5 or 6.7, or Cloud Foundation (vCenter Server) 3.x upgrade to the latest version as soon as possible.
What we are doing
We are scanning the internet for vulnerable servers, and will notify system owners via the listed abuse contacts.
Timeline
| Date | Description |
|---|---|
| 23 Nov 2021 | VMware publishes their security advisory and releases a patch. |
| 24 Nov 2021 | US Cybersecurity and Infrastructure Security Agency publishes a security advisory. |
| 03 Dec 2021 | Proof of Concept code becomes publicly available. |
| 03 Dec 2021 | DIVD starts scanning the internet for CVE-2021-21980. |
| 05 Dec 2021 | DIVD CSIRT sends mail to owners of vulnerable systems that were found. |
| 12 Jan 2022 | DIVD scanned the internet again, with very few vulnerable hosts remaining this case can be closed. |
gantt
title DIVD-2021-00036 - VMware vCenter Server arbitrary file read vulnerability
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2021-00036 - VMware vCenter Server arbitrary file read vulnerability (40 days) :2021-12-03, 2022-01-12
section Events
VMware publishes their security advisory and releases a patch. : milestone, 2021-11-23, 0d
US Cybersecurity and Infrastructure Security Agency publishes a security advisory. : milestone, 2021-11-24, 0d
Proof of Concept code becomes publicly available. : milestone, 2021-12-03, 0d
DIVD starts scanning the internet for CVE-2021-21980. : milestone, 2021-12-03, 0d
DIVD CSIRT sends mail to owners of vulnerable systems that were found. : milestone, 2021-12-05, 0d
DIVD scanned the internet again, with very few vulnerable hosts remaining this case can be closed. : milestone, 2022-01-12, 0d