On Tuesday, September 21, 2021, VMware released VMware Security Advisory VMSA-2021-0020 affecting vCenter Server. This VMSA contains 1 Critical advisory and 18 Important advisories.
Workaround*: VMware KB 85717: https://kb.vmware.com/kb/85717
VMware Blog “VMSA-2021-0020: What You Need to Know”: https://via.vmw.com/vmsa-2021-0020-blog
VMware Communities: https://via.vmw.com/vmsa-2021-0020-community
*Workaround provided only for 1 Critical vulnerability. Additional 18 lower vulnerabilities require patch to be applied. Workaround should only be used as a temporary measure until patching can be completed. Refer to FAQ for additional information.
The key information to share is that IMMEDIATE ACTION IS REQUIRED. Apply the vCenter patch version now, or apply the workaround (and understand the impact to functionality) if you cannot patch immediately.
VMware has released a very detailed blog and FAQ for this VMSA, which should help clarify questions that are sure to arise. These resources are linked above.
As a follow-up to the previous post, VMware Security expert Bob Plankers has just published an update to the vSphere Security Configuration guides. The changes are detailed in a blog article here:Â
One specific item of interest around OpenSLP/CIM service (ref. VMSA-2019-0022, VMSA-2020-0023):
“Added and updated guidance for disabling SLP and CIM service daemons on ESXi. Security advisories are often good opportunities to assess the state of things, and most customers do not use these protocols. No VMware products use these protocols, either. We now have good methods and guidance for disabling them.”
Furthermore, while not detailed in the blog, I understand that slpd service is disabled by default in ESXi going forward.
You can download the vSphere Security Configuration guides at https://core.vmware.com/security-configuration-guide