VMware Cloud Community
baijup
VMware Employee
VMware Employee
‎05-26-2021 08:29 AM
Jump to solution

Addressing VMSA-2021-0010 and related CVEs (CVE-2021-21985 & CVE-2021-21986)

This discussion thread is created to answer any questions you may have on the latest VMware Vulnerability VMSA-2021-0010.
Please review the documentation below, as this may answer any questions you have:

VMware Security Advisory - VMSA-2021-0010
VMware Blog - VMSA-2021-0010: What You Need to Know
In addition, answers to frequently asked questions are documented here - VMSA-2021-0010-FAQs

Step-by-step procedures to update vCenter Server :

Step by step procedure to update vCenter Server 7.0 appliance
Step by step procedure to update vCenter Server 6.7 appliance
Step by step procedure to update vCenter Server 6.5 appliance
Step by step procedure to update Windows vCenter Server 6.5/6.7

0 Kudos
2 Solutions

Accepted Solutions
baijup
VMware Employee
VMware Employee
‎05-27-2021 09:21 AM
Jump to solution

@Wompfel These vulnerabilities are impacting only listed plugins in HTML Client which was introduced in vCenter Server 6.5. So, Plugins in vCenter Server 6.0 are not impacted by this VMSA. Hope it helps.

View solution in original post

0 Kudos
baijup
VMware Employee
VMware Employee
‎05-27-2021 09:26 AM
Jump to solution

@padhillon I tried with a different account as well and 6.5 U3p is visible in the Download Screen. Can you please share a screenshot of available downloads from My VMware -> All Products -> 6.5 (attached a sample screenshot - vCenterServerDownloadScreenshot.pdf)

View solution in original post

Preview file
182 KB
0 Kudos
12 Replies
padhillon
Contributor
Contributor
‎05-27-2021 05:28 AM
Jump to solution

There is no clear indication about the downloadable patch for vCenter Server 6.5 running on Windows Platform.

Can you please guide us about the applicable update version with latest build number for vCenter6.5 running on Windows?

And also share the exact download location for the same.

 

Note: It's not about vCenter server appliance. It's about vCenter on Windows OS.

0 Kudos
baijup
VMware Employee
VMware Employee
‎05-27-2021 06:20 AM
Jump to solution

@padhillon You may download 6.5 U3p Windows vCenter Server ISO from the below link:

https://my.vmware.com/group/vmware/downloads/details?downloadGroup=VC65U3P&productId=614&rPId=67485

Step-by-step procedure on how to update vCenter Server 6.5 Windows:
https://communities.vmware.com/t5/vSphere-Upgrade-Install/Step-by-step-procedure-to-update-windows-v...

 

0 Kudos
padhillon
Contributor
Contributor
‎05-27-2021 06:43 AM
Jump to solution

The latest downloadable version I can find on that link is below:

VMware vCenter Server 6.5U3n
Name:Release Date:Build Number:

VMware-VIM-all-6.5.0-17590285.iso
2021-02-23
17590285


However, the new advisory for 25th May shows below as per release notes for Windows:

vCenter Server 6.5 Update 3p | 25 MAY 2021 | ISO Build 17994927
vCenter Server Appliance 6.5 Update 3p | 25 MAY 2021 | ISO Build 17994927

Two different versions and different patch level with different build numbers.

0 Kudos
baijup
VMware Employee
VMware Employee
‎05-27-2021 06:58 AM
Jump to solution

@padhillon Thanks for the update. The link I shared was a direct link for 65U3p (VMSA fixed version), screenshot attached. I am currently checking with a different account, will keep you updated.

Preview file
266 KB
Wompfel
Contributor
Contributor
‎05-27-2021 08:05 AM
Jump to solution

@baijup Can you tell me, if there are any actions to be taken, for previous than 6.5 versions?

I still have a vCenter with the following version: 6.0.0. Build 3634794
(Planned to be updated)

vCenter Server before 6.5 have no HTML5 client, so currently I'm not sure if I have to or can do anything. Cause there is also a "VMware Virtual SAN Health Service", but the vCenter is running with flash.

Thanks a lot in advance.

0 Kudos
RADunton
Contributor
Contributor
‎05-27-2021 08:10 AM
Jump to solution

I just ran the procedure to block the plugins. It looked like everything worked in the SSH session, When I logged back into the vCenter 7.0 GUI I saw notifications concerning deploying the plugins that were listed. See attached screenshot. Is this expected?

Preview file
244 KB
0 Kudos
Wompfel
Contributor
Contributor
‎05-27-2021 08:19 AM
Jump to solution

@RADunton I'm not sure about vCenter 7.0, but for 6.7 you sure have the information, that it reloads / deploys the plugins cause you re-started the appliance.

But for the one you excluded, there should be something similar to this:

Wompfel_0-1622128774949.png

 

0 Kudos
RADunton
Contributor
Contributor
‎05-27-2021 08:22 AM
Jump to solution

Thanks. I don't see anything like that. I'll get a case open for it.

0 Kudos
baijup
VMware Employee
VMware Employee
‎05-27-2021 09:21 AM
Jump to solution

@Wompfel These vulnerabilities are impacting only listed plugins in HTML Client which was introduced in vCenter Server 6.5. So, Plugins in vCenter Server 6.0 are not impacted by this VMSA. Hope it helps.

0 Kudos
baijup
VMware Employee
VMware Employee
‎05-27-2021 09:26 AM
Jump to solution

@padhillon I tried with a different account as well and 6.5 U3p is visible in the Download Screen. Can you please share a screenshot of available downloads from My VMware -> All Products -> 6.5 (attached a sample screenshot - vCenterServerDownloadScreenshot.pdf)

Preview file
182 KB
0 Kudos
padhillon
Contributor
Contributor
‎05-27-2021 10:13 AM
Jump to solution

Thank you @baijup , you did a great help. I am able to get it now by following the document you shared. Earlier, it was taking me to Appliance updates and to the last available update for windows U3n only in update section.

0 Kudos
Wompfel
Contributor
Contributor
‎05-27-2021 11:34 PM
Jump to solution

Yes, thank you!

0 Kudos