VMware has investigated CVE-2021-22005 and determined that the possibility of exploitation can be removed by performing the steps detailed in the Workaround section of this article.
This workaround is meant to be a temporary solution until updates documented in VMSA-2021-0020 can be deployed.
Resolution for CVE-2021-22005 is documented in VMSA-2021-0020.
Option 1 - Implement Workaround Via The "VMSA-2021-0020" Script
This script is provided to help customers implement the documented workaround in a timely and automated way
The script should ONLY be executed on vulnerable vCenter and PSC appliances
If you have patched or updated your systems to the fixed versions of either 6.7U3o or 70U2c, please do not execute the script. The endpoints have been updated in these versions and will return a "HTTP/1.1 400" status when the curl command documented at the end of the manuals steps is executed. See "Related Information" section below for more information
(Edit: Latest version of script not attached. This will report an "Environment is already patched for VMSA-2021-0020." message when executed on a patched system)
To use this approach, you must download the VMSA-2021-0020.py file attached to this article.
Then, use the file-moving utility of your choice (WinSCP for example) to copy the file to the appliance on which you wish to execute it.
The script will update the ph-web.xml file as required on ALL affected versions of 6.7 and 7.0.
NOTE: If you have troubles connecting to a vCenter appliance using WinSCP, please see Error when uploading files to vCenter Server Appliance using WinSCP
For the purposes on this document, the python script has been copied to the “/var/tmp” directory on the VCSA
Any directory can be used – but the location of the file will need to be updated in the commands below
Steps
1) Connect to the vCSA using an SSH session and root credentials
2) List the contents of the directory where you copied the file – to ensure it was copied successfully
In this case, that is "/var/tmp". Execute the command and ensure that the file is listed
ls -al /var/tmp/
3) Run the script by executing the command below
Change the path to the file as appropriate
The version of python to use depends on the exact version of your vCenter.
The script can be executed with python, python3.5 or python 3.7
python /var/tmp/VMSA-2021-0020.py
or
python3.5 /var/tmp/VMSA-2021-0020.py
or
python3.7 /var/tmp/VMSA-2021-0020.py
The script will execute and
a. Create a backup of the unmodified ph-web.xml
b. Update the ph-web.xml file
c. Create a backup of the updated ph-web.xml
d. Restart the analytics service
e. Confirm that the appliance is no longer vulnerable
See the output bellow (script executed with python 3.5 in this example)
This completes the "scripted workaround"
1) Connect to the vCSA using an SSH session and root credentials.