Skip to content

VMware vCenter vSAN Health Check Plugin Remote Code Execution Vulnerability

Table of Contents

Option 1: For vCenter Server Appliances

  1. Connect to the vCSA using an SSH session and root credentials.
  2. Backup the /etc/vmware/vsphere-ui/compatibility-matrix.xml file.

  3. Open the compatibility-matrix.xml file in a text editor:

  4. Note: Content of an unedited file should look similar to the following:
    Example unedited file

  5. To disable all plugins with disclosed vulnerabilities, add the following lines as shown below:

  6. Note: These entries should be added between the --> and <!-- entries highlighted above. 

    <PluginPackage id="com.vmware.vrops.install" status="incompatible"/>
<PluginPackage id="com.vmware.vsphere.client.h5vsan" status="incompatible"/>
<PluginPackage id="com.vmware.vrUi" status="incompatible"/>
<PluginPackage id="com.vmware.vum.client" status="incompatible"/>
<PluginPackage id="com.vmware.h4.vsphere.client" status="incompatible"/>
  7. The file should look like the following image:
    Final edit
  8. Save and close the compatibility-matrix.xml file.
  9. Stop and restart the vsphere-ui service using these commands: 
    service-control --stop vsphere-ui
service-control --start vsphere-ui

Option 2: For Windows-based vCenter Servers

  1. Use Remote Desktop to access the Windows-based vCenter Server.
  2. Take a backup of the C:\ProgramData\VMware\vCenterServer\cfg\vsphere-ui\compatibility-matrix.xml file.
  3. Open the compatibility-matrix.xml file in a text editor:
    open file

  4. To disable all plugins with disclosed vulnerabilities, add the following lines as shown below:

  5. Note: These entries should be added between the --> and <!-- entries highlighted above 

    <PluginPackage id="com.vmware.vrops.install" status="incompatible"/>
<PluginPackage id="com.vmware.vsphere.client.h5vsan" status="incompatible"/>
<PluginPackage id="com.vmware.vrUi" status="incompatible"/>
<PluginPackage id="com.vmware.vum.client" status="incompatible"/>
<PluginPackage id="com.vmware.h4.vsphere.client" status="incompatible"/>

  6. The file should look like the photo below: Final edit

  7. Save and close the file.
  8. In a Windows command prompt, stop and restart the vsphere-ui service using these commands: 
    C:\Program Files\VMware\vCenter Server\bin> service-control --stop vsphere-ui
C:\Program Files\VMware\vCenter Server\bin> service-control --start vsphere-ui