VMware has released security advisory VMSA-2021-0010 which is pretty important and rated as critical so please take note. This affects VMware vCenter Server and VMware Cloud Foundation. These exploits center around vCenter which is a key component of the virtualization infrastructure. Take action on these patches as soon as you can.
This advisory affects product versions 6.5, 6.7 and 7.0 of vSphere including Cloud Foundations 3.x and 4.x.
Bob Plankers writes on the VMware vSphere Blog
The VMSA outlines two issues that are resolved in this patch release. First, there is a remote code execution vulnerability in the vSAN plugin, which ships as part of vCenter Server. This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of whether you use vSAN or not.
Second, improvements were made to the vCenter Server plugin framework to better enforce plugin authentication. This affects some VMware plugins, and may also cause some third-party plugins to stop working. VMware partners have been notified and are working to test their plugins (most continue to work), but there may be a period after updating when a virtualization admin team may need to access backup, storage, or other systems through their respective management interfaces and not through the vSphere Client UI. If a third-party plugin in your environment is affected, please contact the vendor that supplied it for an update.
This should highlight how important patching your infrastructure is. I know it can be hard at times to find change windows for patches but let’s be honest, we all have that one server (OK maybe more than one) that has been running for 2+ years and never been patched. You don’t want to want to be that person to reboot the server and find out that it has stopped working. So I understand the hesitancy, but keeping these systems updated is the only way to stay out of the news.
I’d suggest working with your security team and set up a bi-weekly meeting regarding patches and updates. For those weeks when you don’t have a meeting, send out an email with a weekly summary, so there are no air gaps. Taking the lead on this will show your management team you take security seriously and it will also show your leadership skills.
If you can ask your management team for a small-scale test environment where you can apply patches and test scenarios before they become a real problem. Be proactive in how you handle this.
Go get those systems patched. Do you have an established method for updates and patches? Do you work closely with others teams in bringing systems into compliance? Any software you have used recently that has made this task easier for you? Let me know on Twitter and thanks for reading.