Workaround for BlazeDS CVE-2017-5641 for vCenter Server 6.5

Products

VMware vCenter Server

Issue/Introduction

There is a critical vulnerability tracked by CVE-2017-5641. This vulnerability affects the vCenter Server Appliance and vCenter Server on Windows.

This article provides a workaround for the security issue CVE-2017-5641 by removing the telemetry plugins of vSphere Web Client. Before applying the workaround, see VMSA-2017-0007 for fixes and up to date information on this vulnerability.

The following versions of the vCenter Server Appliance and vCenter Server are impacted with the CVE-2017-5641 issue:

VMware vCenter Server Appliance 6.5
VMware vCenter Server 6.5

Functionality Impact: The Customer Experience Improvement Program will stop working which will result in not sending vCenter and vSphere web client telemetry data to VMware.

Resolution

This issue is resolved in vCenter Server 6.5 c available at VMware Downloads.

To work around this issue, remove the telemetry plugins.

For vCenter Server 6.5 on Windows

Log in as an administrator to the Windows machine.
Open the command prompt.
Run this command to navigate to C:\Program Files\VMware\vCenter Server\vmon:

cd C:\Program Files\VMware\vCenter Server\vmon
Run this command to stop the vSphere Web Client service:

vmon-cli -k vsphere-client
Backup the contents of C:\ProgramData\VMware\vCenterServer\runtime\vsphere-client\server\work and C:\ProgramData\VMware\vCenterServer\runtime\vsphere-client\server\pickup.
Run this command to remove the contents of the vSphere Web Client work directory:

rmdir "C:\ProgramData\VMware\vCenterServer\runtime\vsphere-client\server\work" /s /q
Run this command to remove the contents of the pickup directory:

del "C:\ProgramData\VMware\vCenterServer\runtime\vsphere-client\server\pickup\*" /q
Back up the following files located at C:\ProgramData\VMware\vCenterServer\runtime\vsphere-client\plugin-packages\telemetry\plugins\.
- ceip-service-6.1.0.jar
- ceip-ui-war-6.1.0.war
- telemetry-service-6.1.0.jar
- telemetry-ui-war-6.1.0.war
Remove the following files under C:\ProgramData\VMware\vCenterServer\runtime\vsphere-client\plugin-packages\telemetry\plugins\.
- ceip-service-6.1.0.jar
- ceip-ui-war-6.1.0.war
- telemetry-service-6.1.0.jar
- telemetry-ui-war-6.1.0.war
Run this command to navigate to C:\Program Files\VMware\vCenter Server\vmon:

cd C:\Program Files\VMware\vCenter Server\vmon
Run this command to start the vCenter services:

vmon-cli -i vsphere-client

For vCenter Server Appliance 6.5

Connect the vCenter Server Appliance with an SSH session.
Run this command to stop the vSphere Web Client service:

/usr/lib/vmware-vmon/vmon-cli -k vsphere-client
Backup the contents of the /usr/lib/vmware-vsphere-client/server/work/ directory.
Run this command to remove the contents of the vSphere Web Client work directory:

rm -rf /usr/lib/vmware-vsphere-client/server/work/*
Backup the contents of the /usr/lib/vmware-vsphere-client/server/pickup/ directory.
Run this command to remove the contents of the pickup directory:

rm /usr/lib/vmware-vsphere-client/server/pickup/*
Back up the following files under /usr/lib/vmware-vsphere-client/plugin-packages/telemetry/plugins/.
- ceip-service-6.1.0.jar
- ceip-ui-war-6.1.0.war
- telemetry-service-6.1.0.jar
- telemetry-ui-war-6.1.0.war
Remove the following files under /usr/lib/vmware-vsphere-client/plugin-packages/telemetry/plugins/.
- ceip-service-6.1.0.jar
- ceip-ui-war-6.1.0.war
- telemetry-service-6.1.0.jar
- telemetry-ui-war-6.1.0.war
Run this command to start the vCenter service:

/usr/lib/vmware-vmon/vmon-cli -i vsphere-client

Additional Information

Process to verify the workaround was applied:

Open Developer Tools in Chrome, Firefox or IE and go to the Network tab.
Refresh the browser and observe that the removed module telemetry-ui is not downloaded in the browser.

Steps to reverse the workaround:

Stop the vSphere Web Client service.
Restore all the deleted plugin files to their original location.
Start the vSphere Web Client service.