This article provides a workaround for security issues related to Apache Struts by disabling the performance charts service in vCenter Server 6.0. Critical vulnerabilities in Apache Struts that affect VMware products are documented in VMware Security Advisories.

Please sign up at our Security-Announce mailing list to receive new and updated VMware Security Advisories.

The workarounds described in the Solution section of this article apply to the following versions of vCenter Server:

• VMware vCenter Server Appliance 6.0
• VMware vCenter Server 6.0

Warning: The workaround for vCenter 6.5 and vCenter 6.7 has been documented separately in KB 57716. Do NOT apply the workaround below to vCenter 6.5 or 6.7.

Functionality Impact: Users will not be able to view the Overview Performance Charts in vSphere Web Client. The advanced performance charts and the vCenter Server API for extracting performance statistics are not impacted. At the time of publication, these are the only known functionality impacts associated with disabling this feature.

To apply this workaround on vCenter Server 6.0, stop the performance charts service and disable the automatic startup of the service on reboot.

How to Stop the Performance Charts Service in vSphere 6.0

For the vCenter Server Appliance 6.0

1. Connect the vCenter Server Appliance with an SSH session and root credentials.
2. Run this command to enable access the Bash shell:
   shell.set --enabled true
    
3. Type shell and press Enter.
4. Stop the performance charts service with this command:
   service vmware-perfcharts stop
    
5. (Optional) Turn off the automatic startup of the service on reboot:
   service vmware-perfcharts remove

For vCenter Server 6.0 on Windows

1. Log in as an administrator to the Windows machine.
2. Open the command-prompt.
3. Stop the performance charts service.
    sc stop vmware-perfcharts
    
4. (Optional) Turn off the automatic startup of the service on reboot.
   sc config vmware-perfcharts start= demand

To revert the startup type of the performance charts service to the default behavior

1. In the vCenter Server Appliance run the command:
   /bin/ln -s /usr/lib/vmware-perfcharts/wrapper/bin/vmware-perfcharts /etc/init.d/vmware-perfcharts 
   /sbin/chkconfig -add vmware-perfcharts
    
2. In the Windows system where vCenter Server is installed, run this command:
   sc config vmware-perfcharts start= auto
    

Alternative

Steps to apply workaround using the vSphere Web client

1. Login to vSphere Web client as administrator of the system.
2. Navigate to the administration (Home) > system configuration (under deployment) > Services node
3. Navigate to the VMware Performance charts service on the left panel.
4. Click on stop button. Check the summary page that the service changes from “Running” to “Stopped”.
5. From the Actions menu, edit the startup type and set it to MANUAL.

Steps to revert the workaround using vSphere Web client

1. Login to vSphere Web client as administrator of the system.
2. Navigate to the administration (Home) > system configuration (under deployment) > Services node.
3. Navigate to the VMware Performance charts service on the left panel.
4. From the Actions menu, edit the startup type and set it to AUTOMATIC.
5. Click the start button. Check the summary page that the service changes from “Stopped” to “Running”.