VMware have published information on a serious security issue with a number of vCenter plugins as described in VMSA-2021-0010. For more information on this issue refer to the following VMware articles:
VxRail Appliance Software releases are available with the updated vCenter builds which fixes the issue. Details on these releases can be found below.
VxRail environments with VxRail deployed/managed vCenter
This issue has been resolved in the following VxRail Appliance Software releases:
- VxRail Appliance Software release 4.5.461
- VxRail Appliance Software release 4.7.531
- VxRail Package Software release 7.0.201
If you have deployed the previous recommended workaround to disable the
VMware vSAN H5 client plugin then you must revert those changes
after upgrading to the VxRail Appliance Software release which contains the fix for VMSA-2021-0010. The procedure to revert change and enable the
VMware vSAN H5 client plugin is outlined in the following VMware KB article:
How to Disable VMware Plugins in vCenter Server (83829)
Workaround for the issue described in VMSA-2021-0010
For customers with a VxRail deployed/managed vCenter the recommendation to mitigate against the issue is to upgrade to the appropriate VxRail Appliance Software release which contains the fix.
For customers who are not in a position to upgrade to a VxRail Appliance Software release with a fix. There is an alternative temporary workaround in disabling the
VMware vSAN H5 client plugin to avoid the issue described in VMSA-2021-0010. The procedure to disable the plugin is outlined in the following VMware KB article:
How to Disable VMware Plugins in vCenter Server (83829)
When you have upgraded to a VxRail Appliance Software release with the the fix then you will need to revert the changes outlined in the article after upgrading. This procedure to revert the workaround is also covered in the same article.
As outlined in the above VMware KB disabling the vSAN H5 plugin will have the following impact:
- vSAN will continue to function normally, and vSAN related alarms will continue to trigger for any events in the environment. These features are not dependent on the vSAN H5 plugin.
- The vSAN sections in the Monitoring and Configuration tabs in the vCenter UI will be unavailable, and thus you cannot make changes to the existing vSAN configuration.
- The Skyline/vSAN Health UI interface will be unavailable but the underlying logic monitoring the environment is still functional.
VxRail Manager will continue to receive alarms and other events from the
vSAN Health Service on vCenter (this is a separate service from the vSAN H5 plugin). Thus it will continue to report any VXR0xxxx alarms related to traditional vSAN related events or issues. There will also be no issue reporting issues through Secure Remote Services (SRS).
Note: If there is a critical issue with vSAN then the plugin may need to be temporarily enabled to assist with troubleshooting and quicker resolution. When the issue has been fixed the plugin can be disabled again. In this scenario vCenter will be exposed to the vulnerability as described in VMSA-2021-0010 while the plugin is enabled.
VxRail environments with customer/external managed vCenter
For customers with their own managed or external vCenter then the recommendation is to upgrade to the latest version with the fix for your major version of vCenter (such as 6.5, 6.7, 7,0 etc.). The vCenter versions/builds with the fix are outlined in the
VMSA-2021-0010 official advisory KB article referenced above.
For more information on compatibility between vCenter and VxRail Software Appliance releases see the following KB:
VxRail: VxRail and external vCenter interoperability matrix (157682)
VMware Cloud Foundation on Dell EMC VxRail and APEX Hybrid Cloud
For customers with VMware Cloud Foundation/APEX Hybrid Cloud on Dell EMC VxRail details on fixes are outlined in the VMSA-2021-0010 official advisory KB article reference above. vCenter upgrades in VMware Cloud Foundation are managed by its internal Lifecycle Management interface in SDDC Manager.
For more information on VxRail Engineering's recommendation regarding this issue and VMware Cloud Foundation see the following KB:
Dell EMC VCF on VxRail: Information on VMSA-2021-0010 (188543)