VMware has released patches that address a new critical bug in VMware vCenter Server, CVE-2021-21985 and CVE-2021-21986. VMware urged users to apply the patch as soon as possible. According to the announcement, vCenter Server versions 6.5, 6.7, and 7.0 are affected by the bug. VMware also released VMware Security Advisory VMSA-2021-0010, which includes the description of the issues and links for the workarounds.
VMware also stated that the updates fix a critical security vulnerability and organizations that practice change management using the ITIL definitions of change types would consider this an “emergency change.” According to the announcement, different environments have different tolerance for risk and have different security controls and defense-in-depth to mitigate risk, however, VMware strongly recommends that users to act.
VMware stated that they found a remote code execution vulnerability in the vSAN plugin, a part of the vCenter Server. It allows anyone can reach the vCenter Server over the network to gain access. The improvement made to the vCenter Server plugin framework affected some VMware plugins that can cause some third-party plugins to stop working. VMware warned users about a period after updating when a virtualization admin team may need to access the backup, storage, or other systems through their respective management interfaces and not through the vSphere Client UI.