该漏洞存在于vCenter Server的分析服务中,其CVSSv3评分为 9.8。能够网络访问vCenter Server 上的 443 端口的攻击者可以通过上传恶意文件在 vCenter Server 上远程执行代码。该漏洞无需经过身份验证即可远程利用,攻击复杂度低,且无需用户交互。
IyEvdXNyL2Jpbi9weXRob24zDQppbXBvcnQgb3MNCmltcG9ydCBzeXMNCnRyeToNCiAgICBTID0gc3lzLmFyZ3ZbMV0NCmV4Y2VwdDoNCiAgICBwcmludCAoJiMzOTtleGFtcGxlLnB5IGxpc3QudHh0JiMzOTspDQogICAgZXhpdCgwKQ0KczEgPSBvcGVuKFMsICYjMzk7ciYjMzk7KQ0KbCA9IHMxLnJlYWRsaW5lcygpDQpmb3IgbGluZSBpbiBsOg0KICAgIHByaW50KGxpbmUuc3RyaXAoKSsmIzM5OyAgICAgJiMzOTspICsgc3RyKG9zLnN5c3RlbSgmIzM5O2N1cmwgLS1zaWxlbnQgLS1pbnNlY3VyZSAtLXVzZXItYWdlbnQgInZBUEkvMi4xMDAuMCBKYXZhLzEuOC4wXzI2MSAoTGludXg7IDQuMTkuMTYwLTYucGgzOyBhbWQ2NCkiIC1YIFBPU1QgImh0dHBzOi8vJFMvYW5hbHl0aWNzL3RlbGVtZXRyeS9waC9hcGkvaHlwZXIvc2VuZD9fYyZfaT10ZXN0IiAtZCAidGVzdCIgLUggIkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24vanNvbiIgLUwgLS1zdGRlcnIgLSAtdiB8IHRhYyB8IGdyZXAgLXEgIkhUVFAvMS4xIDIwMSIgJiYgcHJpbnRmICIgVnVsbmVyYWJsZSAiIHx8IHByaW50ZiAiIFBhdGNoZWQgIiYjMzk7KSk=
目前VMware已经发布了相关漏洞的补丁,建议受影响的用户参考VMware官方公告及时升级更新。
下载链接:
https://www.vmware.com/security/advisories/VMSA-2021-0020.html