CVE-2021-22017
Published: 23 September 2021
Summary
CVE-2021-22017 is a medium-severity an unspecified weakness vulnerability in Vmware Vcenter Server. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Deeper analysis
Rhttproxy as used in vCenter Server contains a vulnerability due to improper implementation of URI normalization. The affected component is the reverse proxy functionality within VMware vCenter Server, which listens on port 443. The issue received a CVSS v3.1 score of 5.3 and is tracked under NVD-CWE-noinfo.
A malicious actor with network access to port 443 on vCenter Server may exploit this issue to bypass the proxy, leading to internal endpoints being accessed. The attack requires no authentication or user interaction and results in limited disclosure of information from otherwise protected resources.
The vulnerability is referenced in VMware security advisory VMSA-2021-0020 and appears in the CISA Known Exploited Vulnerabilities catalog, indicating confirmed real-world exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-9186
Vulnerability details
Rhttproxy as used in vCenter Server contains a vulnerability due to improper implementation of URI normalization. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to bypass proxy leading to internal endpoints being…
more
accessed.
- CWE(s)
- KEV Date Added
- 10 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved access paths through the reverse proxy, blocking the URI-normalization bypass that exposes internal endpoints on port 443.
Requires boundary-protection mechanisms (such as the rhttproxy) to inspect and filter traffic, preventing unauthorized traversal to internal resources.
Enforces information-flow rules between external and internal networks, mitigating the proxy-bypass path that would otherwise allow direct access to protected endpoints.