VMware said three versions of its vCenter Server management software for controlling vSphere environments are susceptible to a critical security flaw that should be immediately patched.
The vendor said in a blog post that the issue needs the “immediate attention” of administrators.
“Given the severity, we strongly recommend that you act,” VMware said.
The company said there was a remote code execution (RCE) vulnerability in “the vSAN plugin [that] ships with and is enabled by default on vCenter Server” versions 6.5, 6.7 and 7.0.
“This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of whether you use vSAN or not,” the vendor said.
The issue necessitated making “improvements … to the vCenter Server plugin framework to better enforce plugin authentication.”
“This affects some VMware plugins, and may also cause some third-party plugins to stop working,” the vendor advised.
VMware said there were workarounds available for administrators that could not apply patches right away.
However, it recommended vSAN customers against “disabling the vSAN plugin” as that “will remove all ability to manage vSAN.”
“No monitoring, no management, no alarms, nothing,” it said.
“This might be fine for your organisation for very short periods of time but we at VMware cannot recommend it. Please use caution.”
In an accompanying FAQ, the vendor flagged future changes to vSphere as a result of the issues.
“Will there be changes to vSphere because of these issues? Absolutely yes, but we cannot comment on product futures publicly,” VMware said.
“Small improvements can be made as part of patch and update releases.
“Major changes must be done with a major version release, in order to preserve compatibility with our large product ecosystem and partners.”
