Skip to the content.

DIVD-2021-00036 - VMware vCenter Server arbitrary file read vulnerability

Our reference DIVD-2021-00036
Case lead Matthijs Koot
Author Lennaert Oudshoorn
Researcher(s)
CVE(s)
Product VMware vCenter Server, Cloud Foundation(vCenter Server)
Versions vCenter Server 6.5 and 6.7, Cloud Foundation (vCenter Server) 3.x
Recommendation Upgrade VMware vCenter Server and VMware Cloud Foundation to the latest version
Patch status Full patched
Status Closed
Last modified 20 Jun 2022 07:35

Summary

VMware has release security updates for vCenter Server, addressing a arbitrary file read vulnerability. Companies using this software have been advised to update by a security advisory from VMware on November 23rd. The bug known as {CVE-2021-21980} has a CVSS severity score of 7.5, abuse could lead to an attacker gaining access to sensitive information.

What you can do

If you run VMware vCenter Server with version 6.5 or 6.7, or Cloud Foundation (vCenter Server) 3.x upgrade to the latest version as soon as possible.

What we are doing

We are scanning the internet for vulnerable servers, and will notify system owners via the listed abuse contacts.

Timeline

Date Description
23 Nov 2021 VMware publishes their security advisory and releases a patch.
24 Nov 2021 US Cybersecurity and Infrastructure Security Agency publishes a security advisory.
03 Dec 2021 Proof of Concept code becomes publicly available.
03 Dec 2021 DIVD starts scanning the internet for CVE-2021-21980.
05 Dec 2021 DIVD CSIRT sends mail to owners of vulnerable systems that were found.
12 Jan 2022 DIVD scanned the internet again, with very few vulnerable hosts remaining this case can be closed.
gantt title DIVD-2021-00036 - VMware vCenter Server arbitrary file read vulnerability dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2021-00036 - VMware vCenter Server arbitrary file read vulnerability (40 days) :2021-12-03, 2022-01-12 section Events VMware publishes their security advisory and releases a patch. : milestone, 2021-11-23, 0d US Cybersecurity and Infrastructure Security Agency publishes a security advisory. : milestone, 2021-11-24, 0d Proof of Concept code becomes publicly available. : milestone, 2021-12-03, 0d DIVD starts scanning the internet for CVE-2021-21980. : milestone, 2021-12-03, 0d DIVD CSIRT sends mail to owners of vulnerable systems that were found. : milestone, 2021-12-05, 0d DIVD scanned the internet again, with very few vulnerable hosts remaining this case can be closed. : milestone, 2022-01-12, 0d

More information