Dirmann Technology Consultants

New vCenter and VCF Vulnerability Discovered with 6.5 – 9.8 CVSSv3 Rating!


This just in! Today, VMware released an advisor to all users of vCenter and/or VMware Cloud Foundations for two different vulnerabilities found in both the vCenter Server VMware Cloud Foundation (vCenter) products – a remote code execution (labeled as CRITICAL with a rating of 9.8) and an authentication mechanism issue (labeled as MODERATE with a rating of 6.5). VMware is strongly urging users of these products to perform the necessary actions to protect themselves against this exploits immediately.

Who Is Affected?

If you use vCenter Server 7.0, 6.7, or 6.5, or are running VCF 4.x (prior to 4.2.1) or 3.x (prior to than you are affected by the issue. The vulnerabilities lie within plugins that come with or are added to vCenter when you deploy certain products. The plugins are:

  • vRealize Operations (vROPs)
  • vSAN
  • vCenter Life-cycle Manager (vLCM)
  • Site Recovery (SRM)
  • VMware Cloud Director Availability (VCDA)

Now, whether you use these features/products or not, depending on your version the plugins are installed by default. vCenter 6.5, 6.7, and 7.0 all have the vROPs and and vSAN installed by default. vLCM is not application to 6.5 or 6.7, but is available by default in 7.0. SRM is an additional product, so you shouldn’t be concerned with that one unless you have integrated SRM with your vCenter(s). VCDA is installed by default in 7.0, but is an additional product and integration for 6.5 and 6.7

What Do I Do?

Well, it depends. The quick and easy question is – can you patch/upgrade? If the answer to that question is “You bet I can!”, then your solution is simple:

  • For vCenter 7.0 you will need to patch up to 7.0 Update 2b
  • For vCenter 6.7, you will need to patch up to 6.7 Update 3n
  • For vCenter 6.5, you will need to patch up to 6.5 Update 3p

For VCF users, which isn’t as simple as patching your vCenter appliance:

  • If you’re running 4.x, you’re going to need to upgrade to 4.2.1.
  • If you’re running 3.x, you’re going to need to upgrade to


Okay, so you can’t patch for what ever reason. There’s workarounds that are available and highly suggested. Keep in mind that the workarounds are meant to be temporary solutions until you can patch/upgrade. Again, tem-po-ra-ry. These are some pretty serious vulnerabilities. To put it into perspective, we shared the advisory with some of our customers and they were ready to move on it immediately. To mitigate

  1.  SSH to your VCSA and create a backup of your /etc/vmware/vsphere-ui/compatibility-matrix.xml
    cp -v /etc/vmware/vsphere-ui/compatibility-matrix.xml /etc/vmware/vsphere-ui/compatibility-matrix.orig
  2. Edit /etc/vmware/vsphere-ui/compatibility-matrix.xml
    vi /etc/vmware/vsphere-ui/compatibility-matrix.xml
  3. After the end of the ‘White List’ section and before the beginning of ‘Black List’ section insert the following lines. Look for these lines and insert “PluginPackage” statements as seen below:Before:


    <PluginPackage id="com.vmware.vrops.install" status="incompatible"/>
    <PluginPackage id="com.vmware.vsphere.client.h5vsan" status="incompatible"/>
    <PluginPackage id="com.vmware.vrUi" status="incompatible"/>
    <PluginPackage id="com.vmware.vum.client" status="incompatible"/>
    <PluginPackage id="com.vmware.h4.vsphere.client" status="incompatible"/>


  4. Save and exit
  5. Stop and restart the vsphere-ui services.
    service-control --stop vsphere-ui
    service-control --start vsphere-ui

Again, this method is meant as a temporary solution and will affect only the functionality provided by the individual plugins. Note that disabling the plugins WILL NOT protect you from the threat. You MUST mark them as ‘Incompatible’.


With a similar workaround to VMSA-2021-0002, which we wrote about here, VMware has released another advisory with similar vulnerabilities in additional plugins. These are serious threats and should be handled with haste. Normally, I like to be a bit more “playful” with my blog posts, but when it comes to security and critical advisories I prefer to get straight to the meat with my audience. Thanks for reading. If you enjoyed the post make sure you check us out at dirmann.tech and follow us on LinkedInTwitterInstagram, and Facebook!




Share this article on social media: