To implement the workaround for CVE-2021-21972 and CVE-2021-21973 on Linux-based virtual appliances (vCSA) perform the following steps:
- SSH to vCSA.
- Take a backup of the file:
- /etc/vmware/vsphere-ui/compatibility-matrix.xml
- Content of this file looks like below :
- Using a file Editor, Insert the below line in the file.
<Matrix>
<pluginsCompatibility>
. . . .
. . . .
<PluginPackage id=”com.vmware.vrops.install” status=”incompatible”/>
</pluginsCompatibility>
</Matrix>
- The file should look like below
- Restart the vsphere-ui service. Using command: service-control –restart vsphere-ui
- Navigate to the https://<VC-IP-or-FQDN>/ui/vropspluginui/rest/services/checkmobregister. This page displays 404/Not Found error (as shown below).
- From the h5-client, the VMWare vROPS Client plugin can be seen as “incompatible” under Administration Solutions client-plugins as shown below
- This confirms that the endpoint /ui/vropspluginui is disabled.
To implement the workaround for CVE-2021-21972 and CVE-2021-21973 on Windows-based vCenter Server deployments perform the following steps:
1. RDP to the windows based vCenter Server.
2. Take a backup of the file –
- C:\ProgramData\VMware\vCenterServer\cfg\vsphere-ui\compatibility-matrix.xml
3. Content of this file looks like below :
4. Using a file Editor, Insert the below line in the file.
<Matrix>
<pluginsCompatibility>
. . . .
. . . .
<PluginPackage id="com.vmware.vrops.install" status="incompatible"/>
</pluginsCompatibility>
</Matrix>
5. The file should look like below:
6. Restart the vsphere-ui service. Using command – C:\Program Files\VMware\vCenter Server\bin> service-control –restart vsphere-ui
7. Navigate to
https://<VC-IP-or-FQDN>/ui/vropspluginui/rest/services/checkmobregister.
This page displays 404/Not Found error (as shown below):
8. From the h5-client, the VMWare vROPS Client plugin can be seen as “incompatible” under Administration Solutions client-plugins as shown below:
This confirms that the endpoint /ui/vropspluginui is disabled.
To revert the workaround for CVE-2021-21972 and CVE-2021-21973 on Linux-based virtual appliances (vCSA) perform the following steps:
1. SSH to vCSA.
2. Using a text editor edit the file –
- /etc/vmware/vsphere-ui/compatibility-matrix.xml
3. Remove the below line in the file.
<Matrix>
<pluginsCompatibility>
. . . .
. . . .
<PluginPackage id="com.vmware.vrops.install" status="incompatible"/>
</pluginsCompatibility>
</Matrix>
4. Restart the vsphere-ui service. Using command – service-control –restart vsphere-ui
5. Validate that the vSphere-ui service is up. VMWare vROPS Client plugin status is deployed/enabled
To revert the workaround for CVE-2021-21972 and CVE-2021-21973 on Windows-based vCenter Server deployments perform the following steps:
1. RDP to the Windows vCenter Server.
2. Using a text editor edit the file –
- C:\ProgramData\VMware\vCenterServer\cfg\vsphere-ui\compatibility-matrix.xml
3. Remove the below line in the file.
<Matrix>
<pluginsCompatibility>
. . . .
. . . .
<PluginPackage id="com.vmware.vrops.install" status="incompatible"/>
</pluginsCompatibility>
</Matrix>
4. Restart the vsphere-ui service. Using command – C:\Program Files\VMware\vCenter Server\bin> service-control –restart vsphere-ui
5. Validate that the vSphere-ui service is up. VMWare vROPS Client plugin status is deployed/enabled
For more information on how to start/stop/restart services. Refer to below KBs:
- https://kb.vmware.com/s/article/2109881
- https://kb.vmware.com/s/article/2109887