Purpose
The vCenter team has investigated CVE-2021-21972 and CVE-2021-21973 and have determined that the possibility of exploitation can be removed by performing the steps detailed in the ‘workaround’ section of this article. This workaround is meant to be a temporary solution until updates documented in VMSA-2021-0002 can be deployed.
Impacted product versions:
- 7.0 prior to 7.0 U1c
- 6.7 prior to 6.7 U3l
- 6.5 prior to 6.5 U3n
Functionality Impacts:
Functionality impacts are limited to environments that use vRealize Operations. It should be noted that the vulnerable endpoint exists in vCenter Server whether or not vRealize Operations has ever been introduced to the environment.
- New vRealize Operations customers will not have the provision/option to auto install & configure the vRealize Operations Appliance through the plugin.
- Customers who have already configured a vCenter Adapter in vRealize Operations with vCenter will not be able to display the metric & alert details (both VC & vSAN overview widgets) in the vCenter H5 client.
Resolution
Resolution for CVE-2021-21972 and CVE-2021-21973 is documented in VMSA-2021-0002.
Workaround
To implement the workaround for CVE-2021-21972 and CVE-2021-21973 on Linux-based virtual appliances (vCSA) perform the following steps:
- SSH to vCSA.
- Take a backup of the file:
- /etc/vmware/vsphere-ui/compatibility-matrix.xml
- Content of this file looks like below :
- Using a file Editor, Insert the below line in the file.
<Matrix>
<pluginsCompatibility>
. . . .
. . . .
<PluginPackage id=”com.vmware.vrops.install” status=”incompatible”/>
</pluginsCompatibility>
</Matrix>
- The file should look like below
- Restart the vsphere-ui service. Using command: service-control –restart vsphere-ui
- Navigate to the https://<VC-IP-or-FQDN>/ui/vropspluginui/rest/services/checkmobregister. This page displays 404/Not Found error (as shown below).
- From the h5-client, the VMWare vROPS Client plugin can be seen as “incompatible” under Administration Solutions client-plugins as shown below
- This confirms that the endpoint /ui/vropspluginui is disabled.
To implement the workaround for CVE-2021-21972 and CVE-2021-21973 on Windows-based vCenter Server deployments perform the following steps:
1. RDP to the windows based vCenter Server.
2. Take a backup of the file –
2. Take a backup of the file –
- C:\ProgramData\VMware\vCenterServer\cfg\vsphere-ui\compatibility-matrix.xml
3. Content of this file looks like below :
4. Using a file Editor, Insert the below line in the file.
4. Using a file Editor, Insert the below line in the file.
<Matrix>
<pluginsCompatibility>
. . . .
. . . .
<PluginPackage id="com.vmware.vrops.install" status="incompatible"/>
</pluginsCompatibility>
</Matrix>
5. The file should look like below:
6. Restart the vsphere-ui service. Using command – C:\Program Files\VMware\vCenter Server\bin> service-control –restart vsphere-ui
7. Navigate to
https://<VC-IP-or-FQDN>/ui/vropspluginui/rest/services/checkmobregister.
This page displays 404/Not Found error (as shown below):
8. From the h5-client, the VMWare vROPS Client plugin can be seen as “incompatible” under Administration Solutions client-plugins as shown below:
6. Restart the vsphere-ui service. Using command – C:\Program Files\VMware\vCenter Server\bin> service-control –restart vsphere-ui
7. Navigate to
https://<VC-IP-or-FQDN>/ui/vropspluginui/rest/services/checkmobregister.
This page displays 404/Not Found error (as shown below):
8. From the h5-client, the VMWare vROPS Client plugin can be seen as “incompatible” under Administration Solutions client-plugins as shown below:
This confirms that the endpoint /ui/vropspluginui is disabled.
To revert the workaround for CVE-2021-21972 and CVE-2021-21973 on Linux-based virtual appliances (vCSA) perform the following steps:
1. SSH to vCSA.
2. Using a text editor edit the file –
2. Using a text editor edit the file –
- /etc/vmware/vsphere-ui/compatibility-matrix.xml
3. Remove the below line in the file.
<Matrix>
<pluginsCompatibility>
. . . .
. . . .
<PluginPackage id="com.vmware.vrops.install" status="incompatible"/>
</pluginsCompatibility>
</Matrix>
4. Restart the vsphere-ui service. Using command – service-control –restart vsphere-ui
5. Validate that the vSphere-ui service is up. VMWare vROPS Client plugin status is deployed/enabled
5. Validate that the vSphere-ui service is up. VMWare vROPS Client plugin status is deployed/enabled
To revert the workaround for CVE-2021-21972 and CVE-2021-21973 on Windows-based vCenter Server deployments perform the following steps:
1. RDP to the Windows vCenter Server.
2. Using a text editor edit the file –
2. Using a text editor edit the file –
- C:\ProgramData\VMware\vCenterServer\cfg\vsphere-ui\compatibility-matrix.xml
3. Remove the below line in the file.
<Matrix>
<pluginsCompatibility>
. . . .
. . . .
<PluginPackage id="com.vmware.vrops.install" status="incompatible"/>
</pluginsCompatibility>
</Matrix>
4. Restart the vsphere-ui service. Using command – C:\Program Files\VMware\vCenter Server\bin> service-control –restart vsphere-ui
5. Validate that the vSphere-ui service is up. VMWare vROPS Client plugin status is deployed/enabled
5. Validate that the vSphere-ui service is up. VMWare vROPS Client plugin status is deployed/enabled
For more information on how to start/stop/restart services. Refer to below KBs:
- https://kb.vmware.com/s/article/2109881
- https://kb.vmware.com/s/article/2109887
Related Information
For up-to-date information on CVE-2021-21972 and CVE-2021-21973 as well as future security information please sign up for VMware Security Advisory announcements at our mailing list portal. RSS feeds are also available on the advisories themselves.
点击数:48
