VMware vCenter vROPS Plugin Remote Code Execution Vulnerability

Option 1: Upgrade your vCenter Instance

Upgrade the major release version to a version at or above as indicated below: - Version 7.0 - Patched 7.0 U1c or later - Version 6.7 - Patched 6.7 U3l or later - Version 6.5 - Patched 6.5 U3n or later

Option 2: Disable Plugins on Virtual Server Appliance Deployments

Important: Plugins must be set to “incompatible.” Disabling a plugin from within the UI does not prevent exploitation. The following actions must be performed on both the active and passive nodes in environments running vCenter High Availability (VCHA).1. Connect to the vCSA using an SSH session and root credentials. 2. Backup the /etc/vmware/vsphere-ui/compatibility-matrix.xml file:

cp -v /etc/vmware/vsphere-ui/compatibility-matrix.xml /etc/vmware/vsphere-ui/compatibility-matrix.xml.backup

Open the compatibility-matrix.xml file in a text editor.
NOTE: Contents of this file looks like below:

Add the following line in between the WHITE LIST and BLACK LIST blocks:

<PluginPackage id="com.vmware.vrops.install" status="incompatible"/>

NOTE: Contents of this file looks like below:
Save and close the compatibility-matrix.xml file.

Stop and restart the vsphere-ui service using the commands:

service-control --stop vsphere-ui.
service-control --start vsphere-ui.

Option 3: Disable Plugins on Windows-based vCenter Server Deployments

Use Remote Desktop to access the Windows based vCenter Server.
Take a backup of the C:\ProgramData\VMware\vCenterServer\cfg\vsphere-ui\compatibility-matrix.xml file.
Content of this file looks like below: