-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2021.3162.2
          VMSA-2021-0020 - VMware vCenter Server updates address
                     multiple security vulnerabilities
                             28 September 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMware vCenter Server
                   VMware Cloud Foundation
Publisher:         VMware
Operating System:  Virtualisation
                   Windows
                   VMware ESX Server
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Administrator Compromise        -- Existing Account            
                   Delete Arbitrary Files          -- Remote/Unauthenticated      
                   Denial of Service               -- Remote/Unauthenticated      
                   Cross-site Scripting            -- Remote with User Interaction
                   Access Confidential Data        -- Remote/Unauthenticated      
                   Reduced Security                -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-22020 CVE-2021-22019 CVE-2021-22018
                   CVE-2021-22017 CVE-2021-22016 CVE-2021-22015
                   CVE-2021-22014 CVE-2021-22013 CVE-2021-22012
                   CVE-2021-22011 CVE-2021-22010 CVE-2021-22009
                   CVE-2021-22008 CVE-2021-22007 CVE-2021-22006
                   CVE-2021-22005 CVE-2021-21993 CVE-2021-21992
                   CVE-2021-21991  

Original Bulletin: 
   https://www.vmware.com/security/advisories/VMSA-2021-0020.html

Revision History:  September 28 2021: Vendor updated advisory with an alert that it has 
                     confirmed reports that CVE-2021-22005 is being exploited in the wild
                   September 22 2021: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Critical

Advisory ID: VMSA-2021-0020.1
CVSSv3 Range: 4.3-9.8
Issue Date: 2021-09-21
Updated On: 2021-09-24
CVE(s): CVE-2021-21991, CVE-2021-21992, CVE-2021-21993, CVE-2021-22005,
CVE-2021-22006, CVE-2021-22007, CVE-2021-22008, CVE-2021-22009,
CVE-2021-22010, CVE-2021-22011, CVE-2021-22012, CVE-2021-22013,
CVE-2021-22014, CVE-2021-22015, CVE-2021-22016, CVE-2021-22017,
CVE-2021-22018, CVE-2021-22019, CVE-2021-22020
Synopsis: VMware vCenter Server updates address multiple security
vulnerabilities

1. Impacted Products

  o VMware vCenter Server (vCenter Server)
  o VMware Cloud Foundation (Cloud Foundation)

2. Introduction

Multiple vulnerabilities in VMware vCenter Server were privately reported to
VMware. Updates are available to remediate these vulnerabilities in affected
VMware products.

3a. vCenter Server file upload vulnerability (CVE-2021-22005)

Description

The vCenter Server contains an arbitrary file upload vulnerability in the
Analytics service. VMware has evaluated the severity of this issue to be in
the Critical severity range with a maximum CVSSv3 base score of 9.8.

Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may
exploit this issue to execute code on vCenter Server by uploading a specially
crafted file.

Resolution

To remediate CVE-2021-22005 apply the updates listed in the 'Fixed Version'
column of the 'Response Matrix' below to affected deployments.

Workarounds

Workarounds for CVE-2021-22005 have been listed in the 'Workarounds' column of
the 'Response Matrix' below.

Additional Documentation

A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2021-0020-faq

Notes

  o VMware has confirmed reports that CVE-2021-22005 is being exploited in the
    wild.
  o This issue does not affect vCenter Server 6.5.

Acknowledgements

VMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov
of SolidLab LLC for reporting this issue to us.

3b. vCenter Server local privilege escalation vulnerability (CVE-2021-21991)

Description

The vCenter Server contains a local privilege escalation vulnerability due to
the way it handles session tokens. VMware has evaluated the severity of this
issue to be in the Important severity range with a maximum CVSSv3 base score
of 8.8 .

Known Attack Vectors

A malicious actor with non-administrative user access on vCenter Server host
may exploit this issue to escalate privileges to Administrator on the vSphere
Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash).

Resolution

To remediate CVE-2021-21991 apply the updates listed in the 'Fixed Version'
column of the 'Response Matrix' below to affected deployments.

Workarounds

None.

Additional Documentation

A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2021-0020-faq

Notes

None.

Acknowledgements

VMware would like to thank Hynek Petrak of Schneider Electric for reporting
this issue to us.

3c. vCenter Server reverse proxy bypass vulnerability (CVE-2021-22006)

Description

The vCenter Server contains a reverse proxy bypass vulnerability due to the
way the endpoints handle the URI. VMware has evaluated the severity of this
issue to be in the Important severity range with a maximum CVSSv3 base score
of 8.3.

Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may
exploit this issue to access restricted endpoints.

Resolution

To remediate CVE-2021-22006 apply the updates listed in the 'Fixed Version'
column of the 'Response Matrix' below to affected deployments.

Workarounds

None.

Additional Documentation

A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2021-0020-faq

Notes

This issue does not affect vCenter Server 6.5.

Acknowledgements

VMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov
of SolidLab LLC for reporting this issue to us.

3d. vCenter server unauthenticated API endpoint vulnerability (CVE-2021-22011)

Description

The vCenter Server contains an unauthenticated API endpoint vulnerability in
vCenter Server Content Library. VMware has evaluated the severity of this
issue to be in the Important severity range with a maximum CVSSv3 base score
of 8.1 .

Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may
exploit this issue to perform unauthenticated VM network setting manipulation.

Resolution

To remediate CVE-2021-22011 apply the updates listed in the 'Fixed Version'
column of the 'Response Matrix' below to affected deployments.

Workarounds

None.

Additional Documentation

A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2021-0020-faq

Notes

None.

Acknowledgements

VMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov
of SolidLab LLC for reporting this issue to us.

3e. vCenter Server improper permission local privilege escalation
vulnerabilities (CVE-2021-22015)

Description

The vCenter Server contains multiple local privilege escalation
vulnerabilities due to improper permissions of files and directories. VMware
has evaluated the severity of these issues to be in the Important severity
range with a maximum CVSSv3 base score of 7.8.

Known Attack Vectors

An authenticated local user with non-administrative privilege may exploit
these issues to elevate their privileges to root on vCenter Server Appliance.

Resolution

To remediate CVE-2021-22015 apply the updates listed in the 'Fixed Version'
column of the 'Response Matrix' below to affected deployments.

Workarounds

None.

Additional Documentation

A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2021-0020-faq

Notes

None.

Acknowledgements

VMware would like to thank Yuval Lazar (@Ul7raVi0l3t) of Pentera, Sergey
Gerasimov and George webpentest Noseevich of Solidlab working with Trend Micro
Zero Day Initiative for independently reporting these issues to us.

3f. vCenter Server unauthenticated API information disclosure vulnerability
(CVE-2021-22012)

Description

The vCenter Server contains an information disclosure vulnerability due to an
unauthenticated appliance management API. VMware has evaluated the severity of
this issue to be in the Important severity range with a maximum CVSSv3 base
score of 7.5 .

Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may
exploit this issue to gain access to sensitive information.

Resolution

To remediate CVE-2021-22012 apply the updates listed in the 'Fixed Version'
column of the 'Response Matrix' below to affected deployments.

Workarounds

None.

Additional Documentation

A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2021-0020-faq

Notes

This issue affects only vCenter Server 6.5.

Acknowledgements

VMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov
of SolidLab LLC for reporting this issue to us.

3g. vCenter Server file path traversal vulnerability (CVE-2021-22013)

Description

The vCenter Server contains a file path traversal vulnerability leading to
information disclosure in the appliance management API. VMware has evaluated
the severity of this issue to be in the Important severity range with a
maximum CVSSv3 base score of 7.5 .

Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may
exploit this issue to gain access to sensitive information.

Resolution

To remediate CVE-2021-22013 apply the updates listed in the 'Fixed Version'
column of the 'Response Matrix' below to affected deployments.

Workarounds

None.

Additional Documentation

A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2021-0020-faq

Notes

This issue affects only vCenter Server 6.5.

Acknowledgements

VMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov
of SolidLab LLC for reporting this issue to us.

3h. vCenter Server reflected XSS vulnerability (CVE-2021-22016)

Description

The vCenter Server contains a reflected cross-site scripting vulnerability due
to a lack of input sanitization. VMware has evaluated the severity of this
issue to be in the Important severity range with a maximum CVSSv3 base score
of 7.5 .

Known Attack Vectors

An attacker may exploit this issue to execute malicious scripts by tricking a
victim into clicking a malicious link.

Resolution

To remediate CVE-2021-22016 apply the updates listed in the 'Fixed Version'
column of the 'Response Matrix' below to affected deployments.

Workarounds

None.

Additional Documentation

A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2021-0020-faq

Notes

This issue affects only vCenter Server 6.7.

Acknowledgements

VMware would like to thank icez for reporting this issue to us.

3i. vCenter Server rhttpproxy bypass vulnerability (CVE-2021-22017)

Description

Rhttproxy as used in vCenter Server contains a vulnerability due to improper
implementation of URI normalization. VMware has evaluated the severity of this
issue to be in the Important severity range with a maximum CVSSv3 base score
of 7.3 .

Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may
exploit this issue to bypass proxy leading to internal endpoints being
accessed.

Resolution

To remediate CVE-2021-22017 apply the updates listed in the 'Fixed Version'
column of the 'Response Matrix' below to affected deployments.

Workarounds

None.

Additional Documentation

A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2021-0020-faq

Notes

This issue does not affect vCenter Server 7.0.

Acknowledgements

VMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov
of SolidLab LLC for reporting this issue to us.

3j. vCenter Server authenticated code execution vulnerability (CVE-2021-22014)

Description

The vCenter Server contains an authenticated code execution vulnerability in
VAMI (Virtual Appliance Management Infrastructure). VMware has evaluated the
severity of this issue to be in the Important severity range with a maximum
CVSSv3 base score of 7.2 .

Known Attack Vectors

An authenticated VAMI user with network access to port 5480 on vCenter Server
may exploit this issue to execute code on the underlying operating system that
hosts vCenter Server.

Resolution

To remediate CVE-2021-22014 apply the updates listed in the 'Fixed Version'
column of the 'Response Matrix' below to affected deployments.

Workarounds

None.

Additional Documentation

A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2021-0020-faq

Notes

None.

Acknowledgements

VMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov
of SolidLab LLC for reporting this issue to us.

3k. vCenter Server file deletion vulnerability (CVE-2021-22018)

Description

The vCenter Server contains an arbitrary file deletion vulnerability in a
VMware vSphere Life-cycle Manager plug-in. VMware has evaluated the severity
of this issue to be in the Moderate severity range with a maximum CVSSv3 base
score of 6.5 .

Known Attack Vectors

A malicious actor with network access to port 9087 on vCenter Server may
exploit this issue to delete non critical files.

Resolution

To remediate CVE-2021-22018 apply the updates listed in the 'Fixed Version'
column of the 'Response Matrix' below to affected deployments.

Workarounds

None.

Additional Documentation

A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2021-0020-faq

Notes

This issue affects only vCenter Server 7.0.

Acknowledgements

VMware would like to thank Sergey Gerasimov of Solidlab working with Trend
Micro Zero Day Initiative for reporting this issue to us.

3l. vCenter Server XML parsing denial-of-service vulnerability
(CVE-2021-21992)

Description

The vCenter Server contains a denial-of-service vulnerability due to improper
XML entity parsing. VMware has evaluated the severity of this issue to be in
the Moderate severity range with a maximum CVSSv3 base score of 6.5 .

Known Attack Vectors

A malicious actor with non-administrative user access to the vCenter
Server vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/
Flash) may exploit this issue to create a denial-of-service condition on the
vCenter Server host.

Resolution

To remediate CVE-2021-21992 apply the updates listed in the 'Fixed Version'
column of the 'Response Matrix' below to affected deployments.

Workarounds

None.

Additional Documentation

A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2021-0020-faq

Notes

None.

Acknowledgements

VMware would like to thank Osama Alaa of Malcrove for reporting this issue to
us.

3m. vCenter Server local information disclosure vulnerability (CVE-2021-22007)

Description

The vCenter Server contains a local information disclosure vulnerability in
the Analytics service. VMware has evaluated the severity of this issue to be
in the Moderate severity range with a maximum CVSSv3 base score of 5.5 .

Known Attack Vectors

An authenticated user with non-administrative privilege may exploit this issue
to gain access to sensitive information.

Resolution

To remediate CVE-2021-22007 apply the updates listed in the 'Fixed Version'
column of the 'Response Matrix' below to affected deployments.

Workarounds

None.

Additional Documentation

A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2021-0020-faq

Notes

This issues does not affect vCenter server 6.5.

Acknowledgements

VMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov
of SolidLab LLC for reporting this issue to us.

3n. vCenter Server denial of service vulnerability (CVE-2021-22019)

Description

The vCenter Server contains a denial-of-service vulnerability in VAPI (vCenter
API) service. VMware has evaluated the severity of this issue to be in the
Moderate severity range with a maximum CVSSv3 base score of 5.3 .

Known Attack Vectors

A malicious actor with network access to port 5480 on vCenter Server may
exploit this issue by sending a specially crafted jsonrpc message to create a
denial of service condition.

Resolution

To remediate CVE-2021-22019 apply the updates listed in the 'Fixed Version'
column of the 'Response Matrix' below to affected deployments.

Workarounds

None.

Additional Documentation

A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2021-0020-faq

Notes

None.

Acknowledgements

VMware would like to thank Sergey Gerasimov and George webpentest Noseevich of
Solidlab working with Trend Micro Zero Day Initiative for reporting these
issues to us.

3o. vCenter Server VAPI multiple denial of service vulnerabilities
(CVE-2021-22009)

Description

The vCenter Server contains multiple denial-of-service vulnerabilities in VAPI
(vCenter API) service.VMware has evaluated the severity of these issues to be
in the Moderate severity range with a maximum CVSSv3 base score of 5.3 .

Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may
exploit these issues to create a denial of service condition due to excessive
memory consumption by VAPI service.

Resolution

To remediate CVE-2021-22009 apply the updates listed in the 'Fixed Version'
column of the 'Response Matrix' below to affected deployments.

Workarounds

None.

Additional Documentation

A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2021-0020-faq

Notes

None.

Acknowledgements

VMware would like to thank Sergey Gerasimov and George webpentest Noseevich of
Solidlab working with Trend Micro Zero Day Initiative for reporting these
issues to us.

3p. vCenter Server VPXD denial of service vulnerability (CVE-2021-22010)

Description

The vCenter Server contains a denial-of-service vulnerability in VPXD (Virtual
Provisioning X Daemon) service. VMware has evaluated the severity of this
issue to be in the Moderate severity range with a maximum CVSSv3 base score of
5.3 .

Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may
exploit this issue to create a denial of service condition due to excessive
memory consumption by VPXD service.

Resolution

To remediate CVE-2021-22010 apply the updates listed in the 'Fixed Version'
column of the 'Response Matrix' below to affected deployments.

Workarounds

None.

Additional Documentation

A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2021-0020-faq

Notes

This issues does not affect vCenter server 6.5.

Acknowledgements

VMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov
of SolidLab LLC for reporting this issue to us.

3q. vCenter Server information disclosure vulnerability (CVE-2021-22008)

Description

The vCenter Server contains an information disclosure vulnerability in VAPI
(vCenter API) service.VMware has evaluated the severity of this issue to be in
the Moderate severity range with a maximum CVSSv3 base score of 5.3 .

Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may
exploit this issue by sending a specially crafted jsonrpc message to gain
access to sensitive information.

Resolution

To remediate CVE-2021-22008 apply the updates listed in the 'Fixed Version'
column of the 'Response Matrix' below to affected deployments.

Workarounds

None.

Additional Documentation

A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2021-0020-faq

Notes

None.

Acknowledgements

VMware would like to thank Sergey Gerasimov and George webpentest Noseevich of
Solidlab working with Trend Micro Zero Day Initiative for reporting this issue
to us.

3r. vCenter Server Analytics service denial-of-service Vulnerability
(CVE-2021-22020)

Description

The vCenter Server contains a denial-of-service vulnerability in the Analytics
service. VMware has evaluated the severity of this issue to be in the Moderate
severity range with a maximum CVSSv3 base score of 5.0 .

Known Attack Vectors

Successful exploitation of this issue may allow an attacker to create a
denial-of-service condition on vCenter Server.

Resolution

To remediate CVE-2021-22020 apply the updates listed in the 'Fixed Version'
column of the 'Response Matrix' below to affected deployments.

Workarounds

None.

Additional Documentation

A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2021-0020-faq

Notes

This issue does not affect vCenter Server 6.5.

Acknowledgements

VMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov
of SolidLab LLC for reporting this issue to us.

3s. vCenter Server SSRF vulnerability (CVE-2021-21993)

Description

The vCenter Server contains an SSRF (Server Side Request Forgery)
vulnerability due to improper validation of URLs in vCenter Server Content
Library. VMware has evaluated the severity of this issue to be in the Moderate
severity range with a maximum CVSSv3 base score of 4.3 .

Known Attack Vectors

An authorised user with access to content library may exploit this issue by
sending a POST request to vCenter Server leading to information disclosure.

Resolution

To remediate CVE-2021-21993 apply the updates listed in the 'Fixed Version'
column of the 'Response Matrix' below to affected deployments.

Workarounds

None.

Additional Documentation

A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2021-0020-faq

Notes

None.

Acknowledgements

VMware would like to thank Osama Alaa of Malcrove and vitquay of Vantage Point
Security for independently reporting this issue to us.

Response Matrix - vSphere 7.0:

Product    Version Running CVE Identifier  CVSSv3  Severity  Fixed      Workarounds Additional
                   On                                        Version                Documentation
vCenter    7.0     Any     CVE-2021-22005  9.8     critical  7.0 U2c    KB85717     FAQ
Server
                           CVE-2021-21991,
                           CVE-2021-21992,
                           CVE-2021-21993,
                           CVE-2021-22006,
                           CVE-2021-22007,
vCenter    7.0     Any     CVE-2021-22008, 4.3-8.8 important 7.0 U2c    None        FAQ
Server                     CVE-2021-22009,
                           CVE-2021-22010,
                           CVE-2021-22014,
                           CVE-2021-22015,
                           CVE-2021-22019,
                           CVE-2021-22020
vCenter    7.0     Any     CVE-2021-22011, 6.5,    important 7.0 U2d    None        FAQ
Server                     CVE-2021-22018  8.1
                           CVE-2021-22012,
vCenter    7.0     Any     CVE-2021-22013, N/A     N/A       Unaffected N/A         N/A
Server                     CVE-2021-22016,
                           CVE-2021-22017
Cloud
Foundation 4.x     Any     CVE-2021-22005  9.8     critical  KB85718    KB85717     FAQ
(vCenter                                                     (4.3)
Server)
                           CVE-2021-21991,
                           CVE-2021-21992,
                           CVE-2021-21993,
                           CVE-2021-22006,
Cloud                      CVE-2021-22007,
Foundation 4.x     Any     CVE-2021-22008, 4.3-8.8 important KB85718    None        FAQ
(vCenter                   CVE-2021-22009,                   (4.3)
Server)                    CVE-2021-22010,
                           CVE-2021-22014,
                           CVE-2021-22015,
                           CVE-2021-22019,
                           CVE-2021-22020
Cloud
Foundation 4.x     Any     CVE-2021-22011, 6.5,    important KB85718    None        FAQ
(vCenter                   CVE-2021-22018  8.1               (4.3.1)
Server)
Cloud                      CVE-2021-22012,
Foundation 4.x     Any     CVE-2021-22013, N/A     N/A       Unaffected N/A         N/A
(vCenter                   CVE-2021-22016,
Server)                    CVE-2021-22017

Response Matrix - vSphere 6.7:

Product    Version Running   CVE Identifier  CVSS v3 Severity  Fixed      Workarounds Additional
                   On                                          Version                Documentation
vCenter    6.7     Virtual   CVE-2021-22005  9.8     critical  6.7 U3o    KB85717     FAQ
Server             Appliance
vCenter    6.7     Windows   CVE-2021-22005  N/A     N/A       Unaffected N/A         N/A
Server
                             CVE-2021-21991,
                             CVE-2021-21992,
                             CVE-2021-21993,
                             CVE-2021-22006,
vCenter    6.7     Any       CVE-2021-22008, 4.3-8.8 important 6.7 U3o    None        FAQ
Server                       CVE-2021-22009,
                             CVE-2021-22010,
                             CVE-2021-22011,
                             CVE-2021-22016,
                             CVE-2021-22017
                             CVE-2021-22007,
vCenter            Virtual   CVE-2021-22015,
Server     6.7     Appliance CVE-2021-22014, 5.0-7.8 important 6.7 U3o    None        FAQ
                             CVE-2021-22019,
                             CVE-2021-22020
                             CVE-2021-22007,
vCenter                      CVE-2021-22014,
Server     6.7     Windows   CVE-2021-22015, N/A     N/A       Unaffected N/A         N/A
                             CVE-2021-22019,
                             CVE-2021-22020
vCenter                      CVE-2021-22012,
Server     6.7     Any       CVE-2021-22013, N/A     N/A       Unaffected N/A         N/A
                             CVE-2021-22018
Cloud
Foundation 3.x     Any       CVE-2021-22005  9.8     critical  KB85719    KB85717     FAQ
(vCenter                                                       (3.10.2.2)
Server)
                             CVE-2021-21991,
                             CVE-2021-21992,
                             CVE-2021-21993,
                             CVE-2021-22006,
                             CVE-2021-22007,
Cloud                        CVE-2021-22008,
Foundation                   CVE-2021-22009,                   KB85719
(vCenter   3.x     Any       CVE-2021-22010, 4.3-8.8 important (3.10.2.2) None        FAQ
Server)                      CVE-2021-22011,
                             CVE-2021-22014,
                             CVE-2021-22015,
                             CVE-2021-22016,
                             CVE-2021-22017,
                             CVE-2021-22019,
                             CVE-2021-22020
Cloud                        CVE-2021-22012,
Foundation 3.x     Any       CVE-2021-22013, N/A     N/A       Unaffected N/A         N/A
(vCenter                     CVE-2021-22018
Server)

Response Matrix - vSphere 6.5:

Product Version Running   CVE Identifier  CVSSv3  Severity  Fixed      Workarounds Additional
                On                                          Version                Documentation
                          CVE-2021-21991,
                          CVE-2021-21992,
vCenter                   CVE-2021-21993,
Server  6.5     Any       CVE-2021-22008, 4.3-8.8 important 6.5 U3q    None        FAQ
                          CVE-2021-22009,
                          CVE-2021-22011,
                          CVE-2021-22017
                          CVE-2021-22012,
vCenter         Virtual   CVE-2021-22013,
Server  6.5     Appliance CVE-2021-22014, 5.3-7.8 important 6.5 U3q    None        FAQ
                          CVE-2021-22015,
                          CVE-2021-22019
                          CVE-2021-22012,
vCenter                   CVE-2021-22013,
Server  6.5     Windows   CVE-2021-22014, N/A     N/A       Unaffected N/A         N/A
                          CVE-2021-22015,
                          CVE-2021-22019
                          CVE-2021-22005,
                          CVE-2021-22006,
vCenter                   CVE-2021-22007,
Server  6.5     Any       CVE-2021-22010, N/A     N/A       Unaffected N/A         N/A
                          CVE-2021-22016,
                          CVE-2021-22018,
                          CVE-2021-22020


4. References

Fixed Version(s) and Release Notes:

vCenter Server 7.0 U2d
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC70U2D&
productId=974&rPId=74352
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/
vsphere-vcenter-server-70u2d-release-notes.html


vCenter Server 6.7 U3o
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC67U3O&
productId=742&rPId=73667
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/
vsphere-vcenter-server-67u3o-release-notes.html


vCenter Server 6.5 U3q
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC65U3Q&
productId=614&rPId=74057
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/
vsphere-vcenter-server-65u3q-release-notes.html

VMware vCloud Foundation 4.3.1
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/4.3.1/rn/
VMware-Cloud-Foundation-431-Release-Notes.html

VMware vCloud Foundation 3.10.2.2
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.2/rn/
VMware-Cloud-Foundation-3102-Release-Notes.html

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21991
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21992
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21993
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22005
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22006
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22007
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22008
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22009
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22010
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22011
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22012
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22013
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22014
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22015
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22016
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22017
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22018
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22019
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22020

FIRST CVSSv3 Calculator:
CVE-2021-21991: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/
PR:L/UI:N/S:C/C:H/I:H/A:H
CVE-2021-21992: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2021-21993: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2021-22005: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-22006: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:N/S:C/C:L/I:L/A:L
CVE-2021-22007: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/
PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2021-22008: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2021-22009: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2021-22010: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2021-22011: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/
PR:N/UI:N/S:C/C:L/I:L/A:H
CVE-2021-22012: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2021-22013: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2021-22014: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2021-22015: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/
PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-22016: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/
PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-22017: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:N/S:U/C:L/I:L/A:L
CVE-2021-22018: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:N/S:U/C:N/I:L/A:L
CVE-2021-22019: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2021-22020: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/
PR:L/UI:R/S:U/C:N/I:N/A:H


5. Change Log

2021-09-21 VMSA-2021-0020
Initial security advisory.

2021-09-24 VMSA-2021-0020.1
Updated advisory with an alert that VMware has confirmed reports that
CVE-2021-22005 is being exploited in the wild.


6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 


This Security Advisory is posted to the following lists:  
security-announce@lists.vmware.com  
bugtraq@securityfocus.com  
fulldisclosure@seclists.org 

E-mail: security@vmware.com
PGP key at:
https://kb.vmware.com/kb/1055 

VMware Security Advisories
https://www.vmware.com/security/advisories 

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html 

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html 

VMware Security & Compliance Blog  
https://blogs.vmware.com/security 

Twitter
https://twitter.com/VMwareSRC

Copyright 2021 VMware Inc. All rights reserved.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYVKbbONLKJtyKPYoAQjldQ/9FfLXjm7pKgj5nbFEPxloakzmXVyjUB0C
Ik/lsX+q3/qT64ZP3hovBVanv6baPF2BQ8jpTttd9iFL72pqFQjtF0xIlEbaJWj6
do13u5yS3xeMUMi+zEHdpvDF7mO3spikOUSEjW5n6lSIPyX/0N/htV1ehzEQx4Eh
N5y55VRe5x1Zce9Vm2VqmXdkxZBUWaRnVB62TEhvedFXUZZYRyNSCBr0gYAlBF3c
qgss1+1MoHBNL5hD0/e+mH5zfQYTsiTzwAa3AvHlKy73YABpRNUyTmF74xYxR9Bz
eN5d5HsSXqowxhlxqUqmYxyIESi73ogMO6lhgJIuwJwR/QhduaY9398EtN1UNZ2C
BIX+DB2Gt1j+x28eS3g9pD/pipclcs629ysQV0HFpsJgtVpqlKbARXs2pxYXo1QF
JmhAxEqQhvAHAi334LY9MZIZvbv7i8hE8bLaTv3Jad//OHxjTXmioB7Xv11Q913B
hWbPKxrX2hWqDMN1QZO4fNMLuMSMkMvljYmlY+dRu/0CeyeRUFZQBfM/EvJSO0Am
6PyR9zTR4sdZUu7sWvb7uwL9nc3tDa+Lx0hsOjxyOoMmuVpiU3z0K53r+JQMeXEQ
FR7ZfV0nnzRDFIpQmabp01vm0sYL+Oy6yFZ5K5D2unWTYFvuGGEb+ItN1+3/Yosu
YNaa9qEUU7o=
=TCgS
-----END PGP SIGNATURE-----