CVE-2021-22050

Q: What is the severity of CVE-2021-22050?

CVE-2021-22050 has a CVSS score of 7.5 (HIGH). CVE-2021-22050 is a slow HTTP POST denial-of-service vulnerability in VMware ESXi's rhttpproxy service. Attackers with network access can overwhelm the service with multiple slow requests, causing denial-of-service. This affects ESXi systems with rhttpproxy exposed to untrusted networks.

7.5 HIGH

Denial of Service

📋 TL;DR

CVE-2021-22050 is a slow HTTP POST denial-of-service vulnerability in VMware ESXi's rhttpproxy service. Attackers with network access can overwhelm the service with multiple slow requests, causing denial-of-service. This affects ESXi systems with rhttpproxy exposed to untrusted networks.

💻 Affected Systems

Products:

VMware ESXi

Versions: ESXi 6.5, 6.7, and 7.0 prior to specific patch releases

Operating Systems: VMware ESXi

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with rhttpproxy service running and accessible. ESXi management interfaces are typically exposed by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete unavailability of ESXi management interface and potential disruption of virtual machine operations if rhttpproxy crashes or becomes unresponsive.

🟠

Likely Case

Degraded or unavailable ESXi management interface, preventing administrators from managing the hypervisor while VMs continue running.

🟢

If Mitigated

Minimal impact if network segmentation isolates ESXi management interfaces from untrusted networks and proper monitoring is in place.

🌐 Internet-Facing: HIGH - ESXi management interfaces should never be exposed to the internet, but if they are, this vulnerability is easily exploitable.

🏢 Internal Only: MEDIUM - Requires internal network access, but many environments have ESXi management accessible from internal networks where attackers could pivot.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only network access to the rhttpproxy service (typically port 443). No authentication required. Simple tools can generate slow HTTP POST requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ESXi 6.5 EP30, ESXi 6.7 EP27, ESXi 7.0 U3c

Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2022-0004.html

Restart Required: Yes

Instructions:

1. Download appropriate ESXi patch from VMware portal. 2. Place host in maintenance mode. 3. Apply patch via esxcli software vib update. 4. Reboot host. 5. Verify patch installation.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to ESXi management interfaces to trusted administrative networks only.

Configure firewall rules to allow only specific source IPs to access ESXi management ports (typically 443, 902)

Load Balancer Protection

all

Configure load balancers or WAFs to detect and block slow HTTP attacks.

Configure connection timeouts and request size limits on network devices

🧯 If You Can't Patch

Implement strict network segmentation to isolate ESXi management interfaces
Deploy network monitoring to detect slow HTTP attack patterns

🔍 How to Verify

Check if Vulnerable:

Check ESXi version: esxcli system version get. If version is earlier than patched versions listed above, system is vulnerable.

Check Version:

esxcli system version get

Verify Fix Applied:

Verify patch installation: esxcli software vib list | grep -i rhttpproxy. Check version matches patched release.

📡 Detection & Monitoring

Log Indicators:

Multiple slow HTTP POST requests to /ui or other rhttpproxy endpoints in ESXi logs
Increased rhttpproxy service errors or crashes

Network Indicators:

Unusually slow HTTP POST requests to ESXi management IP on port 443
Multiple incomplete HTTP requests from single sources

SIEM Query:

source="esxi" AND ("rhttpproxy" OR "/ui") AND ("POST" OR "slow") AND status=408 OR status=500

📊 Metadata

CVE ID: CVE-2021-22050

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: February 16, 2022

Last Updated: November 21, 2024

🔗 References

https://www.vmware.com/security/advisories/VMSA-2022-0004.html Patch,Vendor Advisory
https://www.vmware.com/security/advisories/VMSA-2022-0004.html Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Cloud Foundation by Vmware

Cloud Foundation by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware

Esxi by Vmware