Threats include obtaining access to confidential data
VMware has fixed a vulnerability in VMware View Planner—a tool that stimulates loads on virtual desktops’ infrastructure and tests their performance. This issue was also flagged and published on the VMware site.
The vulnerability discovered by Positive Technologies expert Mikhail Klyuchnikov is known as CVE-2021-21978 and has a CVSSv3 score of 8.6, reflecting a high degree of danger. Remote Code Execution allows hacking web applications and is one of the most critical threats according to OWASP.
Mikhail Klyuchnikov at Positive Technologies explains: "The vulnerability is caused by an insufficient filtering of user data and lack of authorization at a URL address used for exploitation. After obtaining RCE, hackers may try to develop the attack in order to penetrate the corporate network or attempt to obtain access to confidential data in View Planner. However, hackers will only have RCE in the container, which reduces the level of threat.
To fix the vulnerability, follow the recommendations from VMware's official publication.
VMware has already commended Positive Technologies expert Mikhail Klyuchnikov for his help to eliminate two vulnerabilities in vCenter Server. An exploit for the CVE-2021-21972 vulnerability (CVSSv3 score 9.8) has already been published, which is why we urge installing corresponding updates as soon as possible.