VMware has investigated CVE-2021-22005 and determined that the possibility of exploitation can be removed by performing the steps detailed in the Workaround section of this article.

This workaround is meant to be a temporary solution until updates documented in VMSA-2021-0020 can be deployed.
 

Resolution for CVE-2021-22005  is documented in VMSA-2021-0020.

Workaround:

To implement the workaround for CVE-2021-22005 on Linux-based virtual appliances (vCSA) perform the following steps:

6.7 vCenters running on Windows are not impacted by CVE-2021-22005
There is no requirement to implement this workaround on 6.7 Windows VC systems 
This workaround also applies to VCSAs running as external PSCs in a vCenter 6.7 environment

This workaround requires an update the to “/etc/vmware-analytics/ph-web.xml” file and a restart of the vmware-analytics service
The update to the file involves “commenting out” a number of entries in the file using the “<!--" and “-->” tags

The required changes depend on the version of VMware vCenter.
For 6.7 U1b (Build 11726888) and earlier, there is 1 endpoint, "phTelemetryServlet" that needs to be commented
 
For 6.7U2 (Build 13010631) and later, and all versions of 7.0, there are 3 impacted endpoints, the "phTelemetryServlet", "phPhApiServlet" and "phPhStgApiServlet" endpoints.

 

Option 1 - Implement Workaround Via The "VMSA-2021-0020" Script

This script is provided to help customers implement the documented workaround in a timely and automated way
The script should ONLY be executed on vulnerable vCenter and PSC appliances
If you have patched or updated your systems to the fixed versions of either 6.7U3o  or 70U2c, please do not execute the script. The endpoints have been updated in these versions and will return a "HTTP/1.1 400" status when the curl command documented at the end of the manuals steps is executed. See "Related Information" section below for more information

(Edit: Latest version of script not attached. This will report an "Environment is already patched for VMSA-2021-0020." message when executed on a patched system)
 

To use this approach, you must download the VMSA-2021-0020.py file attached to this article. 
Then, use the file-moving utility of your choice (WinSCP for example) to copy the file to the appliance on which you wish to execute it. 
The script will update the ph-web.xml file as required on ALL affected versions of 6.7 and 7.0.

NOTE:  If you have troubles connecting to a vCenter appliance using WinSCP, please see Error when uploading files to vCenter Server Appliance using WinSCP

For the purposes on this document, the python script has been copied to the “/var/tmp” directory on the VCSA

Any directory can be used – but the location of the file will need to be updated in the commands below

Steps

1) Connect to the vCSA using an SSH session and root credentials

2) List the contents of the directory where you copied the file – to ensure it was copied successfully
    In this case, that is "/var/tmp". Execute the command and ensure that the file is listed

              ls -al /var/tmp/

3) Run the script by executing the command below
    Change the path to the file as appropriate 
    The version of python to use depends on the exact version of your vCenter.
    The script can be executed with python, python3.5 or python 3.7         
          

python /var/tmp/VMSA-2021-0020.py
or
python3.5 /var/tmp/VMSA-2021-0020.py
or
python3.7 /var/tmp/VMSA-2021-0020.py

      The script will execute and
            a. Create a backup of the unmodified ph-web.xml 
            b. Update the ph-web.xml file
            c. Create a backup of the updated ph-web.xml
            d. Restart the analytics service
            e. Confirm that the appliance is no longer vulnerable

See the output bellow (script executed with python 3.5 in this example)

This completes the "scripted workaround"

Option 2 -- Implement The Workaround Via Manual Steps

1) Connect to the vCSA using an SSH session and root credentials.
 

2) Backup the /etc/vmware-analytics/ph-web.xml file:
   
    cp /etc/vmware-analytics/ph-web.xml /etc/vmware-analytics/ph-web.xml.backup

3) Open the /etc/vmware-analytics/ph-web.xml file in a text editor

     vi /etc/vmware-analytics/ph-web.xml

4) Content of this file looks like below: 



5) Hit “I” on the keyboard to enter “Insert” mode (I for Insert)

6) Navigate to the “<list>” line as shown below



7) Hit Enter

8) Type “<!—” as shown below



9) Navigate to the “</bean>” line just after the “<property name="servlet" ref="phPhStgApiServlet"/>” line
    On older versions of 6.7 (u1b or earlier) , you should navigate to the “</bean>” line just after the “<property name="servlet" ref="phTelemetryServlet"/>”



10) Hit “Enter” and type “-->”



11) Hit the “Esc” button on your keyboard to exit Insert mode

12) Save and exit the file by typing “:wq” and hitting “Enter”



13) Restart the vmware-analytics service by typing

                      service-control --restart vmware-analytics

14) To confirm that the workaround has taken effect, you can test by running the command below

curl -X POST "http://localhost:15080/analytics/telemetry/ph/api/hyper/send?_c&_i=test" -d "Test_Workaround" -H "Content-Type: application/json" -v 2>&1 | grep HTTP

This should return a 404 error

• Skyline Health For vSphere
• Skyline health For vSAN