This issue is resolved in the following releases available at
VMware Downloads:
To workaround this issue, perform one of the following solutions:
Creating Firewall rules in VMware vCenter Server Appliance Using Script (Recommended)
Note: Using the scripted method will create persistent rules in the firewall that will be maintained after appliance reboots.
To create the workaround firewall rules in VMware vCenter Server Appliance using script follow these steps:
- Download the vcsa_iptables_scripts-new.zip file attached to the KB article.
- Unzip the contents of the vcsa_iptables_scripts-new.zip file.
- Open a console or SSH connection to the VMware vCenter Server Appliance and login as root user.
- Copy and provide permissions for the script using the following command:
chmod 755 add_iptables_settings.sh
- Execute the script using the following command:
./add_iptables_settings.sh
or
sh add_iptables_settings.sh
- Use the following iptables command to display and confirm the new firewall rules for IPV4 and IPV6:
iptables -nL
Note:When you run though the scripts iptable rules are persists across reboots.
All dropped packets are logged in /var/log/firewall (depending on your virtual appliance) and therefore this file can be reviewed for troubleshooting purposes.
For example, the dropped packet similar to the following might be displayed:
2016-02-19T01:43:20+00:00 localhost kernel: [24539.930406] IN=eth0 OUT= MAC=02:01:27:cd:a5:a1:00:2a:6a:5b:33:3c:08:00 SRC=10.117.0.1 DST=10.xxx.yy.zzz LEN=4539 TOS=0x00 PREC=0x00 TTL=55 ID=0 PROTO=UDP SPT=53 DPT=33834 LEN=4519
Note: The firewall rules need to be removed after you updrade to newer versions.
Removing Firewall Rules in VMware vCenter Server Appliance Using Script
To remove the workaround firewall rules in VMware vCenter Server Appliance using script follow these steps:
- Download the vcsa_iptables_scripts-new.zip file attached to the KB article.
- Unzip the contents of the vcsa_iptables_scripts-new.zip file.
- Open a console or SSH connection to the VMware vCenter Server Appliance and login as root user.
- Copy and provide permission for script using the following command:
chmod 755 remove_iptables_settings.sh
- Execute the script using the following command:
./remove_iptables_settings.sh
or
sh remove_iptables_settings.sh
- Use the following iptables command to display and confirm that the firewall rules have been removed for IPV4 and IPV6:
iptables -nL
Note:When you run though the scripts iptable rules are persists across reboots.
MD5 checksums for files attached are as follows:
md5 checksum forvcsa_iptables_scripts-new.zip file - 245E8FA48B890B06ED0666B0D316FBE3
md5 checksum for add_iptables_settings.sh - 971d468369420556eff8eb193286b4d4
md5 checksum for remove_iptables_settings.sh - 99672b3577734800aaea32a3609c0043
Manually Creating Firewall Rules in VMware vCenter Server Appliance
Note: Using the manual method will create non-persistent rules in the firewall that will not be maintained after appliance reboots. This method should only be used when the patch cannot be applied to the appliance.
To create the workaround firewall rules in VMware vCenter Server Appliance follow these steps:
- Open a console or SSH connection to the VMware vCenter Server Appliance and login as root user.
Note: If you are using vSphere 6.0, you will need to log into the BASH shell. Use the following commands:
- Run this command:
shell.set --enabled true
- Run the shell command.
- Use the iptable command below to check the current firewall rules for IPV4 and IPV6:
iptables -nL
For example:
iptables -nL
Chain INPUT (policy DROP)
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 length 2049:65535
LOG udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 length 2049:65535 LOG flags 0 level 4
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 length 2049:65535
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
inbound all -- 0.0.0.0/0 0.0.0.0/0
port_filter all -- 0.0.0.0/0 0.0.0.0/0
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 13
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 14
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
DROP udplite -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 5 LOG flags 0 level 4 prefix `IPfilter Dropped: '
- As a workaround to the vulnerability add the below firewall rules in the iptables using these commands:
For IPv4 Tables
iptables -I INPUT -p udp --sport 53 -m length --length 2049: -j DROP
iptables -I INPUT -p udp --sport 53 -m length --length 2049: -j LOG
iptables -I INPUT -p tcp --sport 53 -m length --length 2049: -j DROP
iptables -I INPUT -p tcp --sport 53 -m length --length 2049: -j LOG
For IPv6 Table
ip6tables -I INPUT -p udp --sport 53 -m length --length 2049: -j DROP
ip6tables -I INPUT -p udp --sport 53 -m length --length 2049: -j LOG
ip6tables -I INPUT -p tcp --sport 53 -m length --length 2049: -j DROP
ip6tables -I INPUT -p tcp --sport 53 -m length --length 2049: -j LOG
- Once completed, ensure that the new firewall rules are present:
iptables -nL
For example:
iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 length 2049:65535 LOG flags 0 level 4
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 length 2049:65535
LOG udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 length 2049:65535 LOG flags 0 level 4
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 length 2049:65535
Warning: The IP tables settings mentioned above will not be persisted across vCenter Server Appliance reboots.
Removing Firewall Rules in VMware vCenter Server Appliance:
To remove the workaround firewall rules in VMware vCenter Server Appliance follow these steps:
- Open a console or SSH connection to the VMware vCenter Server Appliance and login as root user.
Note: If you are using vSphere 6.0, you will need to log into the BASH shell. Use the following commands:
- Run this command:
shell.set --enabled true
- Run the shell command.
- Use this command below to check the current firewall rules for IPV4 and IPV6:
iptables -nL
For Example:
Chain INPUT (policy DROP)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 length 2049:65535 LOG flags 0 level 4
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 length 2049:65535
LOG udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 length 2049:65535 LOG flags 0 level 4
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 length 2049:65535
- Remove the workaround firewall rules using these commands:
For IPv4 Tables
iptables -D INPUT -p udp --sport 53 -m length --length 2049: -j LOG
iptables -D INPUT -p udp --sport 53 -m length --length 2049: -j DROP
iptables -D INPUT -p tcp --sport 53 -m length --length 2049: -j LOG
iptables -D INPUT -p tcp --sport 53 -m length --length 2049: -j DROP
For IPv6 Table
ip6tables -D INPUT -p udp --sport 53 -m length --length 2049: -j LOG
ip6tables -D INPUT -p udp --sport 53 -m length --length 2049: -j DROP
ip6tables -D INPUT -p tcp --sport 53 -m length --length 2049: -j LOG
ip6tables -D INPUT -p tcp --sport 53 -m length --length 2049: -j DROP
- Once completed, ensure that the firewall rules have been properly removed via the following command:
iptables -nL