CVE-2021-22009: 
vSphere vCenter Server vulnerability analysis and mitigation

CVE-2021-22009 is a denial-of-service vulnerability affecting VMware vCenter Server's VAPI (vCenter API) service, discovered and disclosed in September 2021. The vulnerability affects VMware vCenter Server versions 6.7 and 7.0, as well as VMware Cloud Foundation versions 3.x and 4.x. VMware has evaluated this vulnerability to be in the Moderate severity range with a CVSS v3.1 base score of 5.3 (VMware Advisory).

The vulnerability exists in the VAPI (vCenter API) service of vCenter Server and can lead to excessive memory consumption. The vulnerability has a CVSS v3.1 base score of 5.3 with the following vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. This indicates that the vulnerability is network accessible, requires low attack complexity, needs no privileges or user interaction, and can impact system availability (NVD).

When successfully exploited, this vulnerability can create a denial of service condition due to excessive memory consumption by the VAPI service. The impact is primarily focused on system availability, with no direct impact on confidentiality or integrity of the system (VMware Advisory).

VMware has released patches to address this vulnerability. Affected users should upgrade to vCenter Server version 7.0 U2c for vCenter Server 7.0, version 6.7 U3o for vCenter Server 6.7, or version 6.5 U3q for vCenter Server 6.5. For Cloud Foundation users, updates are available in version 4.3 and 3.10.2.2. No workarounds are available for this vulnerability (VMware Advisory).