Search the VMware Knowledge Base (KB)
View by Article ID

Workaround for BlazeDS CVE-2017-5641 for vCenter Server 6.5 (2149815)

  • 1 Ratings

Purpose

There is a critical vulnerability tracked by CVE-2017-5641. This vulnerability affects the vCenter Server Appliance and vCenter Server on Windows.

This article provides a workaround for the security issue CVE-2017-5641 by removing the telemetry plugins of vSphere Web Client. Before applying the workaround, see VMSA-2017-0007 for fixes and up to date information on this vulnerability.

The following versions of the vCenter Server Appliance and vCenter Server are impacted with the CVE-2017-5641 issue:
  • VMware vCenter Server Appliance 6.5
  • VMware vCenter Server 6.5

Functionality Impact: The Customer Experience Improvement Program will stop working which will result in not sending vCenter and vSphere web client telemetry data to VMware.

Resolution

This issue is resolved in vCenter Server 6.5 c available at VMware Downloads.

To work around this issue, remove the telemetry plugins.

For vCenter Server 6.5 on Windows 
  1. Log in as an administrator to the Windows machine.
  2. Open the command prompt.
  3. Run this command to navigate to C:\Program Files\VMware\vCenter Server\vmon:

    cd C:\Program Files\VMware\vCenter Server\vmon

  4. Run this command to stop the vSphere Web Client service:

    vmon-cli -k vsphere-client

  5. Backup the contents of C:\ProgramData\VMware\vCenterServer\runtime\vsphere-client\server\work and C:\ProgramData\VMware\vCenterServer\runtime\vsphere-client\server\pickup.

  6. Run this command to remove the contents of the vSphere Web Client work directory:

    rmdir "C:\ProgramData\VMware\vCenterServer\runtime\vsphere-client\server\work" /s /q

  7. Run this command to remove the contents of the pickup directory:

    del "C:\ProgramData\VMware\vCenterServer\runtime\vsphere-client\server\pickup\*" /q

  8. Back up the following files located at C:\ProgramData\VMware\vCenterServer\runtime\vsphere-client\plugin-packages\telemetry\plugins\.

    • ceip-service-6.1.0.jar
    • ceip-ui-war-6.1.0.war
    • telemetry-service-6.1.0.jar
    • telemetry-ui-war-6.1.0.war

  9. Remove the following files under C:\ProgramData\VMware\vCenterServer\runtime\vsphere-client\plugin-packages\telemetry\plugins\.

    • ceip-service-6.1.0.jar
    • ceip-ui-war-6.1.0.war
    • telemetry-service-6.1.0.jar
    • telemetry-ui-war-6.1.0.war

  10. Run this command to navigate to C:\Program Files\VMware\vCenter Server\vmon:

    cd C:\Program Files\VMware\vCenter Server\vmon

  11. Run this command to start the vCenter services:

    vmon-cli -i vsphere-client

For vCenter Server Appliance 6.5
  1. Connect the vCenter Server Appliance with an SSH session.
  2. Run this command to stop the vSphere Web Client service:

    /usr/lib/vmware-vmon/vmon-cli -k vsphere-client

  3. Backup the contents of the /usr/lib/vmware-vsphere-client/server/work/ directory.
  4. Run this command to remove the contents of the vSphere Web Client work directory:

    rm -rf /usr/lib/vmware-vsphere-client/server/work/*

  5. Backup the contents of the /usr/lib/vmware-vsphere-client/server/pickup/ directory.
  6. Run this command to remove the contents of the pickup directory:

    rm /usr/lib/vmware-vsphere-client/server/pickup/*

  7. Back up the following files under /usr/lib/vmware-vsphere-client/plugin-packages/telemetry/plugins/.

    • ceip-service-6.1.0.jar
    • ceip-ui-war-6.1.0.war
    • telemetry-service-6.1.0.jar
    • telemetry-ui-war-6.1.0.war

  8. Remove the following files under  /usr/lib/vmware-vsphere-client/plugin-packages/telemetry/plugins/.

    • ceip-service-6.1.0.jar
    • ceip-ui-war-6.1.0.war
    • telemetry-service-6.1.0.jar
    • telemetry-ui-war-6.1.0.war

  9. Run this command to start the vCenter service:

    /usr/lib/vmware-vmon/vmon-cli -i vsphere-client

Additional Information

Process to verify the workaround was applied:
  1. Open Developer Tools in Chrome, Firefox or IE and go to the Network tab.
  2. Refresh the browser and observe that the removed module telemetry-ui is not downloaded in the browser.

Steps to reverse the workaround:
  1. Stop the vSphere Web Client service.
  2. Restore all the deleted plugin files to their original location.
  3. Start the vSphere Web Client service.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 1 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 1 Ratings
Actions
KB: