The vCenter Server team has investigated CVE-2021-21972 and CVE-2021-21973 and have determined that the possibility of exploitation can be removed by performing the steps detailed in the Workaround section of this article. This workaround is meant to be a temporary solution until updates documented in VMSA-2021-0002 can be deployed.

Impacted and Fixed vCenter Server Versions:
 

Version	Impacted Versions	Fixed Version	Release Date	VAMI/Release Notes Build Number	Client/MOB/vpxd.log Build Number
7.0	All versions prior to 7.0 U1c	7.0 U1c (or later)	2020-12-17	17327517 (or later)	17327586 (or later)
6.7 VCSA	All versions prior to 6.7 U3l	6.7 U3l (or later)	2020-11-19	17138064 (or later)	17137327 (or later)
6.7 Windows	All versions prior to 6.7 U3l	6.7 U3l (or later)	2020-11-19	17138064 (or later)	17137232 (or later)

 

Version	Impacted Version	Fixed Version	Release Date	Build Number
6.5 (VCSA and Windows)	All versions prior to 6.5 U3n	6.5 U3n (or later)	2021-02-23	17590285(or later)

 

The links below provide detailed instructions on how to upgrade your VCSA machines.
vSphere 6.7 
https://communities.vmware.com/t5/vSphere-Upgrade-Install/Addressing-VMSA-2021-0002-for-vCenter-6-7/ta-p/2833192
vSphere 7.0
https://communities.vmware.com/t5/vSphere-Upgrade-Install/Addressing-VMSA-2021-0002-for-vCenter-7-0/ta-p/2833079

For any queries with the procedure to update  VMware vCenter ,  please open a thread in the VMTN using this link
 

Functionality Impacts:
Functionality impacts are limited to environments that use vRealize Operations. It should be noted that the vulnerable endpoint exists in vCenter Server whether or not vRealize Operations has ever been introduced to the environment.

• New vRealize Operations customers will not have the provision/option to auto install & configure the vRealize Operations Appliance through the plugin.
• Customers who have already configured a vCenter Adapter in vRealize Operations with vCenter will not be able to display the metric & alert details (both vCenter Server & vSAN overview widgets) in the vSphere Client (HTML 5).

Resolution for CVE-2021-21972 and CVE-2021-21973 is documented in VMSA-2021-0002.

Workaround:
To implement the workaround for CVE-2021-21972 and CVE-2021-21973 on Linux-based virtual appliances (vCSA) perform the following steps:

The plugin must be set to "incompatible". Disabling the plugin from within the UI will not protect the system from this vulnerability.
This workaround is required to be carried out on both the active and passive node in environments running vCenter High Availability (VCHA)
 

1. Connect to the vCSA using an SSH session and root credentials.
2. Backup the /etc/vmware/vsphere-ui/compatibility-matrix.xml file:

3. Open the compatibility-matrix.xml file in a text editor:

4. Content of this file looks like below : 

5. Add the following:

6. The file should like below:

7. Save and close the compatibility-matrix.xml file by typing: :wq!
8. Stop and restart the vsphere-ui service using the commands: 
   1. service-control --stop vsphere-ui.
   2. service-control --start vsphere-ui.
9. Navigate to the https://<VC-IP-or-FQDN>/ui/vropspluginui/rest/services/checkmobregister. This page displays 404/Not Found error (as shown below). 

10. From the vSphere Client (HTML5), the VMware vROPS Client plugin can be seen as “incompatible” under Administration > Solutions > client-plugins as shown below

11. This confirms that the endpoint /ui/vropspluginui is set to "incompatible".

1. RDP to the windows based vCenter Server.
2. Take a backup of the file – 

3. Content of this file looks like below:

4. Add the following: 

5. The file should look like below:

6. Stop and restart the vsphere-ui service using the commands: 
   1. C:\Program Files\VMware\vCenter Server\bin> service-control --stop vsphere-ui
   2. C:\Program Files\VMware\vCenter Server\bin> service-control --start vsphere-ui
7. From a web browser, navigate to:

8. From the vSphere Client (HTML 5), the VMware vROPS Client plugin can be seen as “incompatible” under Administration > Solutions > client-plugins as shown below:

9. This confirms that the endpoint /ui/vropspluginui is set to "incompatible".

1. Connect to the vCSA with an SSH session and root credentials.
2. Open the compatibility-matrix.xml file in a text editor:

3. Remove the below line in the file. 

4. Stop and restart the vsphere-ui service using the commands: 
   1. service-control --stop vsphere-ui.
   2. service-control --start vsphere-ui
5. Validate that the vSphere-ui service is up.
6. The VMware vROPS Client plugin status is deployed/enabled

1. Connect to the Windows vCenter Server.
2. Using a text editor edit the file:

3. Remove the below line in the file. 

4. Stop and restart the vsphere-ui service using the commands: 
   1. C:\Program Files\VMware\vCenter Server\bin> service-control --stop vsphere-ui
   2. C:\Program Files\VMware\vCenter Server\bin> service-control --start vsphere-ui
5. Validate that the vSphere-ui service is up.
6. The VMware vROPS Client plugin status is deployed/enabled

• For more information on how to start/stop/restart services see;
  • How to Stop, Start or Restart vCenter Server 6.x Services 
  • Stopping, Starting or Restarting VMware vCenter Server Appliance 6.x & above services 

For up-to-date information on CVE-2021-21972 and CVE-2021-21973 as well as future security information please sign up for VMware Security Advisory announcements at our mailing list portal. RSS feeds are also available on the advisories themselves.
How to Disable/Enable CIM Server on VMware ESXi