Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Workarounds for vCenter Orchestrator Address Apache Struts Remote Code Execution Vulnerability (1034175)

Details

The following VMware vCenter Orchestrator (vCO) versions embed Apache Struts 2.0.11 or earlier:

  • vCenter Orchestrator 4.0
  • vCenter Orchestrator 4.0 Update 1
  • vCenter Orchestrator 4.0 Update 2
  • vCenter Orchestrator 4.1
  • vCenter Orchestrator 4.1 Update 1

A remote security vulnerability that might allow unauthorized users to run code on the vCO system without authentication is reported for Apache Struts version 2.0.11 and earlier (http://struts.apache.org/2.2.1/docs/s2-005.html). The Common Vulnerabilities and Exposures project has assigned the name CVE-2010-1870 to this vulnerability.

Apache Struts version 2.0.11 and earlier also contain vulnerabilities described at the following URLs:

The vulnerabilities are classified as Important, according to the VMware Security Response Policy.

Note: You can install vCO as a standalone application on a separate system or on the same vCenter Sever system. If you install vCO together with vCenter Server, the vCO server does not start by default. You should start the Orchestrator server service manually. Performing the workarounds removes the vulnerability for vCO and the vCO plug-ins, which you might have installed on top of the vCO platform.

Solution

You can work around this security issue in two different ways that are applicable to all supported Orchestrator versions. The first workaround prevents the successful exploitation of
the security issue in existing Orchestrator installations by disallowing the malicious traffic, and the second workaround disables the vulnerable vCO Configuration service.

Note: The Orchestrator Configuration service does not need to be running when you work with Orchestrator. You need the Orchestrator Configuration service up and running only when you configure Orchestrator.

To disallow the malicious traffic:

  1. Log in as an administrator to the machine on which Orchestrator is installed.
  2. Back up the Orchestrator installation directory.
    The default installation location is C:\Program Files\VMware\Orchestrator\.
  3. Download the attached vCO-KB-1034175.zip to a local directory.
  4. (Optional) Verify that the MD5 or SHA1 checksum of the downloaded file matches one of the following:
    • MD5SUM: c9e2d65802e122993c85831a2d723a34
    • SHA1SUM: 56eba8caf28b3225a51509a14867d502ce3ac721 For more information on verifying the checksum match, see Using Cryptographic Hashes.

  5. Extract the contents of the .zip in the Orchestrator installation directory.
    The default installation location is C:\Program Files\VMware\Orchestrator\.
  6. Select the option to replace any existing files.
  7. Verify that the vco-jetty-filters.jar file is present in C:\Program Files\VMware\Orchestrator\configuration\jetty\lib\ext.

To disable the vulnerable vCO Configuration service:

  1. Log in as an administrator to the machine on which Orchestrator is installed.
  2. Right-click My Computer and select Manage.
  3. In the Computer Management Services window, expand Services and Applications and select Services.
  4. In the right pane, right-click VMware vCenter Orchestrator Configuration and select Stop.

    You successfully stopped the Orchestrator Configuration service.

  5. In the right pane, right-click VMware vCenter Orchestrator Configuration and select Properties.
  6. From the Startup type drop-down menu in the VMware vCenter Orchestrator Configuration (Local Computer) window, select Disabled.

    You disabled the Orchestrator Configuration service and it cannot start automatically the next time the computer reboots.

Attachments

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 1 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 1 Ratings
Actions
KB: