CVE-2021-22017

What is vCenter's rhttproxy?

VMware vCenter Server uses a reverse HTTP proxy component (rhttproxy) to route incoming requests to various internal vCenter services — including the vSphere API, virtual machine management services, authentication endpoints, and infrastructure management components. rhttproxy acts as the front door to vCenter's internal service mesh, directing requests based on URI paths. When rhttproxy's URI normalization — the process of resolving path traversal sequences and normalizing URL paths — is improperly implemented, attackers can craft requests that bypass path-based access controls. A URI normalization flaw can allow an unauthenticated attacker to reach internal vCenter services that should only be accessible post-authentication or from internal networks.

Overview

CVE-2021-22017 is an improper access control vulnerability in VMware vCenter Server's rhttproxy component resulting from an improper implementation of URI normalization. An unauthenticated remote attacker can exploit the URI normalization flaw to bypass path-based access controls and reach internal vCenter services that should not be externally accessible. VMware patched this in VMSA-2021-0020 (September 21, 2021) — the same advisory as the critical CVE-2021-22005 (file upload RCE, CVSS 9.8); while CVE-2021-22017 has lower individual impact, it was patched alongside high-severity vulnerabilities affecting the same vCenter infrastructure. CISA added it to the KEV catalog in January 2022.

Affected Versions

Technical Details

• Root cause: Improper URI normalization in rhttproxy — vCenter's reverse proxy normalizes incoming URIs to determine which internal service handles the request; sequences like ../, URL encoding, or other path traversal techniques in the URI bypass the normalization check, causing rhttproxy to route the request to an internal service that should not receive external unauthenticated requests
• Unauthenticated access (PR:N/UI:N): No credentials or user interaction are required; the URI normalization bypass in the proxy layer occurs before authentication checks in the target internal service
• VMSA-2021-0020 context: This vulnerability was patched alongside CVE-2021-22005 (CVSS 9.8, file upload RCE) — the critical vulnerability that allowed unauthenticated file upload to vCenter. The simultaneous presence of multiple vulnerabilities in the same vCenter proxy layer suggests the rhttproxy component was identified for review after CVE-2021-22005 discovery
• Confidentiality impact (C:L): Accessing internal vCenter services via URI bypass can return partial information about vCenter's internal configuration or service responses that would otherwise require authentication; the low (L) rating reflects limited rather than full data disclosure from this path alone
• Chaining potential: URI normalization bypasses in proxy components are commonly used as prerequisites for exploiting other vulnerabilities in the target internal services — reaching an internal endpoint that is separately vulnerable provides more attack surface than the CVSS for the bypass alone suggests

Discovery

Reported to VMware and patched in VMSA-2021-0020. The simultaneous patch for many vCenter vulnerabilities including critical CVE-2021-22005 suggests extensive security review of vCenter's HTTP handling was conducted. CISA's January 2022 KEV addition reflects active exploitation of vCenter vulnerabilities — organizations that delayed patching the September 2021 VMSA-2021-0020 were exposed to both CVE-2021-22017 and the critical CVE-2021-22005.

Exploitation Context

vCenter Server is central to VMware infrastructure management and its compromise provides broad access to all managed VMs, hosts, and storage. CVE-2021-22017's rhttproxy URI bypass is less severe than the RCE vulnerabilities in the same advisory but represents unauthenticated internal service access that threat actors can leverage as reconnaissance or as a first step in chained exploitation. The January 2022 CISA KEV addition reflects that both VMSA-2021-0020 vulnerabilities were actively exploited — particularly in environments where organizations had not applied the September 2021 patches due to change control delays common with virtualization infrastructure updates.

Remediation

1. Apply VMware VMSA-2021-0020 patches for all affected vCenter Server versions (6.5, 6.7, 7.0) and VMware Cloud Foundation — this patches CVE-2021-22017 and the critical CVE-2021-22005 simultaneously
2. Prioritize patching based on CVE-2021-22005 (CVSS 9.8, file upload RCE) — both CVEs are in the same update; applying the update addresses both
3. Restrict vCenter Server access: the vCenter management interface (port 443/HTTPS) should not be internet-accessible; restrict to management networks via firewall rules
4. Implement network segmentation for vCenter: vCenter should only be reachable from administrators' management workstations and trusted management network segments
5. After patching, review vCenter access logs for unusual URI patterns indicating prior exploitation attempts
6. Enable vCenter Integrated Authentication and require strong authentication for all vCenter users