Workaround Instructions for CVE-2021-22048
Article ID: 317717
Updated On:
Products
VMware vCenter Server
Issue/Introduction
VMware security advisory VMSA-2021-0025 describes CVE-2021-22048. VMware has investigated and determined that the possibility of exploitation can be removed by performing the steps detailed in the Workaround section of this article.
This workaround requires that the SSO identity source configuration is switched from Integrated Windows Authentication (IWA) to one of the options below.
1) Active Directory over LDAPs authentication
2) Identity Provider Federation for AD FS (vSphere 7.0 or later)
2) Identity Provider Federation for AD FS (vSphere 7.0 or later)
Active Directory over LDAP authentication is not impacted by this vulnerability. However, VMware strongly recommend that customers plan to move to another authentication method, The VMware blog posted here has more details on this.
In addition, please refer to the vSphere Authentication with vCenter Single Sign-On documentation
Resolution
This issue is resolved in vCenter Server 7.0 U3i version, please click here to download. For more details please read VMware security advisory VMSA-2021-0025.
Workaround:
To switch to Active Directory over LDAPs, please see here and KB_2041378.
To switch to Identity Provider Federation for AD FS, please see here.
Workaround:
To switch to Active Directory over LDAPs, please see here and KB_2041378.
To switch to Identity Provider Federation for AD FS, please see here.
Additional Information
For more information, please refer to the VMware blogs below.
VMware vSphere & Microsoft LDAP Channel Binding & Signing
vSphere Authentication, Microsoft Active Directory LDAP, and Event ID 2889
vSphere 7 – Identity Federation
Impact/Risks:
Active Directory over LDAPs does not understand domain trusts, so customers that switch to this method will have to configure a unique identity source for each of their trusted domains. Identity Provider Federation for AD FS does not have this restriction
Feedback
Yes
No
Powered by
