Login Sign Up

CVE-2021-22008

7.5 HIGH

📋 TL;DR

This vulnerability in VMware vCenter Server's VAPI service allows attackers with network access to port 443 to send specially crafted JSON-RPC messages and access sensitive information. It affects organizations running vulnerable vCenter Server instances, potentially exposing configuration data, credentials, or other sensitive system information.

💻 Affected Systems

Products:
  • VMware vCenter Server
Versions: 7.0 prior to 7.0 U2c, 6.7 prior to 6.7 U3o, 6.5 prior to 6.5 U3q
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Affects vCenter Server with VAPI service enabled (default configuration).

📦 What is this software?

Cloud Foundation by Vmware

View all CVEs affecting Cloud Foundation →

Vcenter Server by Vmware

View all CVEs affecting Vcenter Server →

Vcenter Server by Vmware

View all CVEs affecting Vcenter Server →

Vcenter Server by Vmware

View all CVEs affecting Vcenter Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of vCenter Server environment, including access to virtual machine management, credentials, and sensitive configuration data leading to lateral movement across the virtual infrastructure.

🟠

Likely Case

Unauthorized access to sensitive information such as configuration details, system logs, or limited credentials that could facilitate further attacks.

🟢

If Mitigated

Limited information exposure with proper network segmentation and access controls preventing exploitation attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires network access to port 443 and ability to craft specific JSON-RPC messages. Authentication not required for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: vCenter Server 7.0 U2c, 6.7 U3o, 6.5 U3q

Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0020.html

Restart Required: Yes

Instructions:

1. Download appropriate patch from VMware portal. 2. Backup vCenter Server. 3. Apply patch using VMware Update Manager or manual installation. 4. Restart vCenter Server services.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to vCenter Server port 443 to trusted management networks only.

Configure firewall rules to limit access to vCenter Server IP:443 from authorized IP ranges only

VAPI Service Disablement

linux

Disable VAPI service if not required (may impact some automation features).

chkconfig --level 2345 vapi off
systemctl disable vapi

🧯 If You Can't Patch

  • Implement strict network access controls to limit connections to vCenter Server port 443
  • Monitor for unusual JSON-RPC traffic patterns and implement IDS/IPS rules

🔍 How to Verify

Check if Vulnerable:

Check vCenter Server version against affected versions list. Review VAPI service status and network access logs.

Check Version:

cat /etc/vmware-vpx/version

Verify Fix Applied:

Verify vCenter Server version is patched to 7.0 U2c, 6.7 U3o, or 6.5 U3q. Test VAPI service functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusual JSON-RPC requests in vCenter logs
  • Failed authentication attempts to VAPI service
  • Access from unauthorized source IPs

Network Indicators:

  • Unusual traffic patterns to port 443
  • Malformed JSON-RPC packets
  • Repeated connection attempts to VAPI endpoints

SIEM Query:

source="vcenter" AND ("VAPI" OR "json-rpc") AND status="failed"

📊 Metadata

CVE ID: CVE-2021-22008
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Published: September 23, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON