VxRail: Information about VMSA-2021-0010 and VxRail Environments

VMware has published information about a serious security issue with several vCenter plugins as described in VMSA-2021-0010. For more information about this issue, see the following VMware articles:

• VMSA-2021-0010 official advisory
• VMSA-2021-0010: What You Must Know
• Questions & Answers for VMSA-2021-0010

VxRail Appliance Software releases are available with the updated vCenter builds which fix the issue. Details on these releases can be found below.
 

VxRail environments with VxRail deployed and managed vCenter

This issue has been resolved in the following VxRail Appliance Software releases:

• VxRail Appliance Software release 4.5.461
• VxRail Appliance Software release 4.7.531
• VxRail Package Software release 7.0.201

If you have deployed the previous recommended workaround to disable the VMware vSAN H5 client plugin, then you must revert those changes after upgrading to the VxRail Appliance Software release which contains the fix for VMSA-2021-0010. The procedures to revert change and enable the VMware vSAN H5 client plugin is outlined in the following VMware KB article:
How to Disable VMware Plugins in vCenter Server (83829)
 

Workaround for the issue described in VMSA-2021-0010 

For users with a VxRail deployed and managed vCenter the recommendation to mitigate against the issue is to upgrade to the appropriate VxRail Appliance Software release which contains the fix.

For users who are not in a position to upgrade to a VxRail Appliance Software release with a fix. There is an alternative temporary workaround in disabling the VMware vSAN H5 client plugin to avoid the issue described in VMSA-2021-0010. The procedure to disable the plugin is outlined in the following VMware KB article:
How to Disable VMware Plugins in vCenter Server (83829)

When you have upgraded to a VxRail Appliance Software release with the fix, then you must reverse the changes outlined in the article after upgrading. This procedure to revert the workaround is also covered in the same article.

As outlined in the above VMware KB disabling the vSAN H5 plugin has the following impact:

• vSAN continues to function and vSAN related alarms continue to trigger for any events in the environment. These features are not dependent on the vSAN H5 plugin.
• The vSAN sections in the Monitoring and Configuration tabs in the vCenter UI are unavailable, and thus you cannot change the existing vSAN configuration.
• The Skyline/vSAN Health UI interface is unavailable but the underlying logic monitoring the environment is still functional.

VxRail Manager continues to receive alarms and other events from the vSAN Health Service on vCenter (this is a separate service from the vSAN H5 plugin). Thus it continues to report any VXR0xxxx alarms related to traditional vSAN related events or issues. There are no issue reporting issues through Secure Remote Services.
 

VxRail environments with user/external managed vCenter

For users with their own managed or external vCenter then the recommendation is to upgrade to the latest version with the fix for your major version of vCenter (such as 6.5, 6.7, 7.0, and so forth). The vCenter versions or builds with the fix are outlined in the VMSA-2021-0010 official advisory KB article referenced above.

For more information about compatibility between vCenter and VxRail Software Appliance releases, see the following KB:
User-managed VMware vCenter Server Interoperability Matrix