VMware has finally released a patch to address privilege escalation vulnerability CVE-2021-22048 which was disclosed to users 8 months ago. The company has released vCenter Server 7.0 Update 3f, a security update that only addresses the vulnerability for servers running the latest available release.

In an advisory in November 2021, VMware alerted users of a malicious actor with non-administrative access to vCenter Server may exploit this issue to elevate privileges to a higher privileged group. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

Impacted Products:

• VMware vCenter Server (vCenter Server)
• VMware Cloud Foundation (Cloud Foundation)

Workaround

VMware has also provided a workaround as patches are pending for the other affected versions. Workaround for CVE-2021-22048 is to switch to AD over LDAPS authentication OR Identity Provider Federation for AD FS (vSphere 7.0 only) from Integrated Windows Authentication (IWA) as documented in the KB listed in the 'Workarounds' column of the 'Response Matrix' below. VMware has investigated and determined that the possibility of exploitation can be removed by performing these steps

At this time, it is critically important to follow the advice provided in the security bulletin, as this is an actively exploited vulnerability. To download this patch, please follow this link.

If you require further assistance in addressing VMware CVE-2021-22048, please call us on 1300 428 248 or email support@andersenit.com.au and we would be happy to assist.