VMware Patches Critical vCenter Vulnerability
VMware has released patches to address a critical out-of-bounds write vulnerability affecting its vCenter Server and VMware Cloud Foundation products. The flaw could be exploited to achieve remote code execution. The issue is severe enough that VMware has released fixes for end-of-life products, including vCenter Server 6.7U3, 6.5U3, VCF 3.x, and vCenter Server 8.0U1. VMware has also released updates for a moderate severity vulnerability that could lead to partial information disclosure.
vCenter has been in the crosshairs of ransomware gangs for a while. Patch this before the next issue of NewsBites talks about how they are taking advantage of this flaw to extort organizations. As a first step: Please ensure any IPs allowing direct access to vCenter are not reachable from the internet.
Use this quote from VMWare to drive immediate patching: “In-product workarounds were investigated, but were determined to not be viable.”
If you're running one of the older, unsupported, vCenter Server products, you caught a break here and have an update. Apply the patch, then move to the latest supported/patched version. POC exploit code is available on the Internet, there are no workarounds.
The vendor is sending a clear signal when it chooses to provide an update for end-of-life products – the install base is high. Users of vCenter Server and its cloud foundations products should download the update and patch immediately.
Read more in
SC Magazine: VMware critical bug puts vCenter Servers at risk
Dark Reading: Virtual Alarm: VMware Issues Major Security Advisory
Bleeping Computer: VMware fixes critical code execution flaw in vCenter Server