Workaround Instructions for CVE-2021-22048
search cancel

Workaround Instructions for CVE-2021-22048


Article ID: 317717


Updated On:


VMware vCenter Server


VMware security advisory VMSA-2021-0025 describes CVE-2021-22048. VMware has investigated and determined that the possibility of exploitation can be removed by performing the steps detailed in the Workaround section of this article.

This workaround requires that the SSO identity source configuration is switched from Integrated Windows Authentication (IWA) to one of the options below.
1)  Active Directory over LDAPs authentication 
2)  Identity Provider Federation for AD FS (vSphere 7.0 or later)

Active Directory over LDAP authentication is not impacted by this vulnerability. However, VMware strongly recommend that customers plan to move to another authentication method, The VMware blog posted here has more details on this. 
In addition, please refer to the 
vSphere Authentication with vCenter Single Sign-On documentation 


This issue is resolved in vCenter Server 7.0 U3i version, please click here to download. For more details please read VMware security advisory VMSA-2021-0025.


To switch to Active Directory over LDAPs, please see here and KB_2041378.
To switch to Identity Provider Federation for AD FS, please see here.  

Additional Information

For more information, please refer to the VMware blogs below.
VMware vSphere & Microsoft LDAP Channel Binding & Signing
vSphere Authentication, Microsoft Active Directory LDAP, and Event ID 2889

vSphere 7 – Identity Federation


Active Directory over LDAPs does not understand domain trusts, so customers that switch to this method will have to configure a unique identity source for each of their trusted domains. Identity Provider Federation for AD FS does not have this restriction