Workaround for BlazeDS CVE-2017-5641 for vCenter Server 6.0
Article ID: 301334
Updated On:
Products
VMware vCenter Server
Issue/Introduction
There is a critical vulnerability tracked by CVE-2017-5641. This vulnerability affects the vCenter Server Appliance and vCenter Server on Windows.
This article provides a workaround for the security issue CVE-2017-5641 by removing the telemetry plugins of vSphere Web Client. Before applying the workaround see VMSA-2017-0007 for fixes and up to date information on this vulnerability.
The following versions of the vCenter Server Appliance and vCenter Server are impacted with the CVE-2017-5641 issue:
VMware vCenter Server Appliance 6.0
VMware vCenter Server 6.0
Functionality Impact: The Customer Experience Improvement Program will stop working which will result in not sending vCenter and vSphere web client telemetry data to VMware.
Environment
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server 6.0.x
VMware vCenter Server 6.0.x
Resolution
This is a known issue affecting vCenter Server 6.0.
This issue is resolved in vCenter Server 6.0 U3b available at VMware Downloads.
To work around this issue on vCenter Server, remove the telemetry plugins.
For vCenter Server on Windows
- Start a command line console.
- Run this command to stop the vSphere Web Client service:
net stop vspherewebclientsvc /y
Note: The /y parameter stops the vmware-perfcharts service which depend on vspherewebclientsvc.
- Run this command to remove the contents of the vSphere Web Client work directory:
rmdir "C:\Program Files\VMware\vCenter Server\WebClient\server\work" /s /q
- Run this command to remove the contents of the pickup directory:
del "C:\Program Files\VMware\vCenter Server\virgo\server\pickup\*" /q
- Back up these files located in C:\Program Files\VMware\vCenter Server\WebClient\plugin-packages\vsphere-client\plugins\:
- telemetry-service-6.0.0.jar
- telemetry-ui-war-6.0.0.war
- phonehome-collector-ui-war-6.0.0.war
- cis-data-service-cmc-6.0.0.jar
- Remove these files located in C:\Program Files\VMware\vCenter Server\WebClient\plugin-packages\vsphere-client\plugins\:
- telemetry-service-6.0.0.jar
- telemetry-ui-war-6.0.0.war
- phonehome-collector-ui-war-6.0.0.war
- cis-data-service-cmc-6.0.0.jar
- Run these commands to start the vCenter services:
net start vspherewebclientsvc
net start vmware-perfcharts
For vCenter Server Appliance:
- Run this command to stop the vSphere Web Client service:
service vsphere-client stop
- Run this command to remove the contents of the vSphere Web Client work directory:
rm -rf /usr/lib/vmware-vsphere-client/server/work/*
- Run this command to remove the contents of the pickup directory:
rm /usr/lib/vmware-virgo/server/pickup/*
- Back up these files that are located in /usr/lib/vmware-vsphere-client/plugin-packages/vsphere-client/plugins/:
- telemetry-service-6.0.0.jar
- telemetry-ui-war-6.0.0.war
- phonehome-collector-ui-war-6.0.0.war
- cis-data-service-cmc-6.0.0.jar
- Remove these files that are located in /usr/lib/vmware-vsphere-client/plugin-packages/vsphere-client/plugins/:
- telemetry-service-6.0.0.jar
- telemetry-ui-war-6.0.0.war
- phonehome-collector-ui-war-6.0.0.war
- cis-data-service-cmc-6.0.0.jar
- Run this command to start the vCenter service:
service vsphere-client start
Additional Information
Process to verify the workaround was applied:
简体中文:针对 vCenter Server 6.0 的 BlazeDS CVE-2017-5641 的权宜措施
- Open Developer Tools in Chrome, Firefox or IE and go to the Network tab.
- Refresh the browser and observe that the removed module telemetry-ui and ceip-ui is not downloaded in the browser.
Steps to reverse the workaround:
- Stop the vSphere Web Client service.
- Restore all the deleted plugin files to their original location.
- Start the vSphere Web Client service.
简体中文:针对 vCenter Server 6.0 的 BlazeDS CVE-2017-5641 的权宜措施
Feedback
Yes
No
Powered by
