Workaround Instructions for CVE-2021-22005
search cancel

Workaround Instructions for CVE-2021-22005

book

Article ID: 322789

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction


VMware has investigated CVE-2021-22005 and determined that the possibility of exploitation can be removed by performing the steps detailed in the Workaround section of this article.

This workaround is meant to be a temporary solution until updates documented in VMSA-2021-0020 can be deployed.
 

VCSA systems running version 7.0U2c build 18356314 which was released on August 24th, and VCSA systems running version 6.7U3o build 18485166 which was released on September 21st, are not vulnerable to this issue and this workaround is not required to be implemented on appliances running these versions.
All previous versions of 6.7 and 7.0 are vulnerable.
This workaround also applies to VCSAs running as external PSCs in a vCenter 6.7 environment
vCenter 6.5 versions are not exposed to this CVE and this workaround does not apply to any 6.5 VCSA
For customers running VCF, the workaround is required to be applied to all the vCenter systems running in your environment -- in both the management and all workload domains. 

Resolution



Resolution for CVE-2021-22005  is documented in VMSA-2021-0020.


Workaround:

To implement the workaround for CVE-2021-22005 on Linux-based virtual appliances (vCSA) perform the following steps:

6.7 vCenters running on Windows are not impacted by CVE-2021-22005
There is no requirement to implement this workaround on 6.7 Windows VC systems 
This workaround also applies to VCSAs running as external PSCs in a vCenter 6.7 environment

This workaround requires an update the to “/etc/vmware-analytics/ph-web.xml” file and a restart of the vmware-analytics service
The update to the file involves “commenting out” a number of entries in the file using the “<!--" and “-->” tags

The required changes depend on the version of VMware vCenter.
For 6.7 U1b (Build 11726888) and earlier, there is 1 endpoint, "phTelemetryServlet" that needs to be commented
 
For 6.7U2 (Build 13010631) and later, and all versions of 7.0, there are 3 impacted endpoints, the "phTelemetryServlet", "phPhApiServlet" and "phPhStgApiServlet" endpoints.

 

Option 1 - Implement Workaround Via The "VMSA-2021-0020" Script

This script is provided to help customers implement the documented workaround in a timely and automated way
The script should ONLY be executed on vulnerable vCenter and PSC appliances
If you have patched or updated your systems to the fixed versions of either 6.7U3o  or 70U2c, please do not execute the script. The endpoints have been updated in these versions and will return a "HTTP/1.1 400" status when the curl command documented at the end of the manuals steps is executed. See "Related Information" section below for more information

(Edit: Latest version of script not attached. This will report an "Environment is already patched for VMSA-2021-0020." message when executed on a patched system)
 

To use this approach, you must download the VMSA-2021-0020.py file attached to this article. 
Then, use the file-moving utility of your choice (WinSCP for example) to copy the file to the appliance on which you wish to execute it. 
The script will update the ph-web.xml file as required on ALL affected versions of 6.7 and 7.0.

NOTE:  If you have troubles connecting to a vCenter appliance using WinSCP, please see Error when uploading files to vCenter Server Appliance using WinSCP

For the purposes on this document, the python script has been copied to the “/var/tmp” directory on the VCSA

Any directory can be used – but the location of the file will need to be updated in the commands below

Steps

1) Connect to the vCSA using an SSH session and root credentials

2) List the contents of the directory where you copied the file – to ensure it was copied successfully
    In this case, that is "/var/tmp". Execute the command and ensure that the file is listed

              ls -al /var/tmp/

3) Run the script by executing the command below
    Change the path to the file as appropriate 
    The version of python to use depends on the exact version of your vCenter.
    The script can be executed with python, python3.5 or python 3.7         
          

python /var/tmp/VMSA-2021-0020.py
or
python3.5 /var/tmp/VMSA-2021-0020.py
or
python3.7 /var/tmp/VMSA-2021-0020.py


      The script will execute and
            a. Create a backup of the unmodified ph-web.xml 
            b. Update the ph-web.xml file
            c. Create a backup of the updated ph-web.xml
            d. Restart the analytics service
            e. Confirm that the appliance is no longer vulnerable

See the output bellow (script executed with python 3.5 in this example)

script_output.png


This completes the "scripted workaround"

Option 2 -- Implement The Workaround Via Manual Steps

 



1) Connect to the vCSA using an SSH session and root credentials.
 

2) Backup the /etc/vmware-analytics/ph-web.xml file:
   
    cp /etc/vmware-analytics/ph-web.xml /etc/vmware-analytics/ph-web.xml.backup

3) Open the /etc/vmware-analytics/ph-web.xml file in a text editor

     vi /etc/vmware-analytics/ph-web.xml

4) Content of this file looks like below: 

Number1_alla.png

5) Hit “I” on the keyboard to enter “Insert” mode (I for Insert)

6) Navigate to the “<list>” line as shown below

Number2_alla.png

7) Hit Enter

8) Type “<!—” as shown below

Number3_alla.png

9) Navigate to the “</bean> line just after the “<property name="servlet" ref="phPhStgApiServlet"/>” line
    On older versions of 6.7 (u1b or earlier) , you should navigate to the “</bean> line just after the “<property name="servlet" ref="phTelemetryServlet"/>

Number4_alla.png

10) Hit “Enter” and type “-->

Number5_alla.png

11) Hit the “Esc” button on your keyboard to exit Insert mode

12) Save and exit the file by typing “:wq” and hitting “Enter

Number6_alla.png

13) Restart the vmware-analytics service by typing

                      service-control --restart vmware-analytics

14) To confirm that the workaround has taken effect, you can test by running the command below

curl -X POST "http://localhost:15080/analytics/telemetry/ph/api/hyper/send?_c&_i=test" -d "Test_Workaround" -H "Content-Type: application/json" -v 2>&1 | grep HTTP

This should return a 404 error

test-output.png


Additional Information


If the curl command documented above is executed on a "fixed" or updated version (6.7U3o/7.0U2c and later), then a "HTTP/1.1 400" message will be returned

VCSA running 7.0U2d build 18455184
fixed output.png

VCSA running 6.7U3o build 18485185
fixed output1.png

Impact/Risks:

Functionality Impacts:
There is no functionality impact when the workaround is applied to a vCenter system running 6.7
On systems running 7.0. there is a very minor impact in that the user receives a “JSON deserialization failed” message when clicking on “Sample Data” under “Administration – Customer Experience Improvement Program”
This option is only available when CEIP is disabled

Implementing this workaround has no effect on any service that requires CEIP to be enabled such as 
  • Skyline Health For vSphere
  • Skyline health For vSAN
In addition there is no impact on VMware Skyline Advisor. 

The screenshot below shows the error received in 7.0 vCenters post implementing the workaround.
This can be safely ignored

error.png


Attachments

VMSA-2021-0020 get_app
Powered by Wolken Software