BD is aware of and currently monitoring VMware vulnerabilities affecting VMware vCenter Server and ESXi. These third-party vulnerabilities are not specific to BD or our products. BD is providing this update to let customers know which BD products could be affected by these third-party vulnerabilities. Please note that not all BD products listed in this bulletin are in scope for each CVE.
CVE-2021-21972 - The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
CVE-2021-21974 - OpenSLP as used in ESXi has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.
CVE-2021-21985 - The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
Additionally, BD has not received any reports of these vulnerabilities being exploited on BD products.
The product lists below identify existing BD products that utilize in-scope VMware products. The lists may be updated as more products are identified. In addition, these lists do not indicate the patch or device status. Please check back periodically for updates.
Note: The BD Alaris™ Systems Manager is run in a VMware ESXi environment, which the customer provides. Customers are responsible for updating and maintaining security patches for VMWare ESXi as resides within the customer's network infrastructure.
The BD products listed below are in scope for CVE-2021-21972, CVE-2021-21974, and CVE-2021-21985:
The BD products listed below are in scope for CVE-2021-21974:
*CVE-2021-21974 ESXi OpenSLP remote code execution vulnerability: Port 427 is not recommended to be opened during implementation for the BD Pyxis™ suite of products.
The BD products listed below are in scope for CVE-2021-21972 and CVE-2021-21985:
Customers that maintain patches independent of BD automated delivery are responsible for maintaining the correct security posture of their system(s) and should ensure related VMware patches have been applied:
BD is currently working to test and validate the VMware patch(es) for BD products that use the affected third-party components. Some patches may already be available. Please refer to the Bulletins and Patches page for all approved product security patching notifications. Additionally, we recommend the following compensating controls for customers using BD products that utilize VMware vCenter Server or ESXi:
For product or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, disconnect the device from the network and contact your BD service representative immediately.
US CERT Advisories: