CVE-2021-22020: 
vSphere vCenter Server vulnerability analysis and mitigation

CVE-2021-22020 is a denial-of-service vulnerability discovered in the Analytics service of VMware vCenter Server. The vulnerability was disclosed on September 21, 2021, affecting VMware vCenter Server versions 6.7 and 7.0, as well as VMware Cloud Foundation versions 3.x and 4.x. VMware has evaluated this vulnerability with a CVSSv3 base score of 5.0, categorizing it in the Moderate severity range (VMware Advisory).

The vulnerability exists in the Analytics service component of vCenter Server. It has been assigned a CVSS v3.1 base score of 5.5 MEDIUM with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access is required for exploitation (NVD). The vulnerability does not affect vCenter Server 6.5 installations (VMware Advisory).

Successful exploitation of this vulnerability allows an attacker to create a denial-of-service condition on vCenter Server, potentially disrupting service availability (VMware Advisory).

VMware has released patches to address this vulnerability. For vCenter Server 7.0, the fix is included in version 7.0 U2c, for vCenter Server 6.7, the fix is available in version 6.7 U3o. For Cloud Foundation, fixes are available in versions 4.3 and 3.10.2.2. No workarounds are available, making patch installation the only remediation option (VMware Advisory).