CVE-2020-11651 and CVE-2020-11652 have been determined to affect Application Remote Collector - 7.5, 8.0, 8.0.1, 8.1. 

The Application Remote Collector team has determined that exploitation can be prevented by performing the steps detailed in the resolution section of this article. If the resolution cannot be applied, then workaround should be considered.  However the workaround is meant to be a temporary solution only, with very limited working functionality of Application Remote Collector.

VMware vRealize Operations 8.0.x
VMware vRealize Operations Manager 7.5.x
VMware vRealize Operations 8.1.x
VMware vRealize Operations 8.x

This issue is resolved in Application Remote Collector 7.5, 8.0.1, and 8.1 with the following security patches:
7.5 - vRealize Application Remote Collector 7.5 – Virtual Appliance Security Patch
8.0.1 - vRealize Application Remote Collector 8.0.1 – Virtual Appliance Security Patch
8.1 - vRealize Application Remote Collector 8.1 – Virtual Appliance Security Patch

To apply the patch for a given version, complete the following.

1. Take a snapshot of the existing Application Remote Collector system.
2. Download the respective patch for the version of ARC installed using the links above.
3. On Application Remote Collector 7.5 only, complete these steps before proceeding:
   1. Log into the VAMI UI of Application Remote Collector (https://ARC IP/FQDN:5480) using the root credentials.
   2. Navigate to Update > Settings.
   3. Under Update Repository, select Use CDROM Updates.
   4. Click Save Settings.
4. Follow the steps in Upgrade an Existing Installation from an ISO File to complete the upgrade.

Workaround:
To implement the workaround for CVE-2020-11651 and CVE-2020-11652 on Application Remote Collector - 7.5, 8.0, 8.0.1, or 8.1, perform the following steps.

1. Log into the Application Remote Collector as root via SSH or console pressing ALT+F1 in a Console to log in.
2. Run the following command to back up the current iptables rules:

3. Run the following commands to add the iptables rules to block salt docker ports:

4. Repeat steps 1-3 on all Application Remote Collectors.

To remove the workaround for CVE-2020-11651 and CVE-2020-11652 on Application Remote Collector - 7.5, 8.0, 8.0.1, or 8.1, perform the following steps:

1. Restart the Application Remote Collector.

Impact/Risks:
Warning:
This resolution and workaround are applicable ONLY to Application Remote Collector - 7.5, 8.0, 8.0.1, and 8.1.
Do not apply this resolution or workaround to other VMware products.

vRealize Operations comes with a feature to monitor applications using Telegraf agents. The existing end-points on which agents have been installed and/or plugins activated, will continue to send metric and service data.  With the workaround, the following capabilities of this feature will be impacted:

• Ability to install new agents
• Ability to uninstall existing agents
• Add/Edit of Activate/Deactivate a plugin/ICMP/UCP/TCP/Remote Checks/Custom Script
• Stop/Start Agent
• Ability to do content upgrade

No capabilities are impacted using the resolution.