Critical VMware VMSA-2021-0010 (PATCH YOUR vCENTER) – Critical

What is VMSA-2021-0010 vulnerability?

The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.


The affected Virtual SAN Health Check plug-in is enabled by default in all vCenter Server deployments, whether or not vSAN is being used.

Implementation Time: Immediate

These updates fix a critical security vulnerability, and it needs to be considered at once. Organizations that practice change management using the ITIL definitions of change types would consider this an “emergency change.” All environments are different, have different tolerance for risk, and have different security controls & defense-in-depth to mitigate risk, so the decision on how to proceed is up to you. However, given the severity, we strongly recommend that you act.

Why you are affected by VMSA-2021-0010?

The VMSA outlines two issues that are resolved in this patch release. First, there is a remote code execution vulnerability in the vSAN plugin, which ships as part of vCenter Server. This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of whether you use vSAN or not.

Second, improvements were made to the vCenter Server plugin framework to better enforce plugin authentication. This affects some VMware plugins, and may also cause some third-party plugins to stop working. VMware partners have been notified and are working to test their plugins (most continue to work), but there may be a period after updating when a virtualization admin team may need to access backup, storage, or other systems through their respective management interfaces and not through the vSphere Client UI. If a third-party plugin in your environment is affected, please contact the vendor that supplied it for an update.

How to Protect your environment?

Don’t think twice patch your vCenter immedietly, this is the fastest way to resolve this problem, doesn’t involve editing files on the vCenter Server Appliance (VCSA), and removes the vulnerability completely. From there you can update any plugins as vendors release new versions.

Steps to Patch your vCenter server:

There are three ways to patch the vCenter,

To know more about the vulnerability please refer the below links, (Details about the issue and workaround). (Right place for your queries). (Official VMware Blog)

How to configure LDAPS as Identity Source in vSphere Client (vCenter).

We are going to learn how to add the Active Directory as LDAP in identity Source of the vCenter.

What do we achieve: We will able to add the AD users to the vCenter Roles and allow them access the vCenter using the AD credentials.

Why use LDAPS: LDAPS (Lightweight Directory Access Protocol Over Secure Socket Links) LDAPS is a distributed IP directory protocol similar to LDAP, but which incorporates SSL for greater security. The default port for an LDAPS service provider URL is 636.

  1. Login to the vSphere client where you want to configure LDAPS as identity source.
  2. Click on Menu –> Select Administration

3. Select Single Sign-on Configuration -> Identity Sources -> Add Identity Source

4. Select Active Directory over LDAP

4. Now we must enter the details to configure AD as LDAPS.

Format Explained:

  • Name = domain name
  • Base DN for users: dc=domainname,dc=local (This option to search user’s in specific organization unit OR container of AD).
  • Base DN for groups: dc=domainname,dc=local (This option to search AD group’s in a specific organization unit OR container in the Active Directory)
  • Domain name: name of the domain
  • Domain alias: domain-name
  • Username: DN of the username
  • Password: Password for the user account mentioned above
  • Primary server URL: ldaps://Domaincontroller name:636
  • (You can mention domain name instead of specific DC if all your domain controller’s configured to use SSL for LDAP)
  • Secondary server URL:ldaps://Domaincontroller name:636 (optional)

5. We need to add the SSL certificate for active directory server which we have mentioned as the Primary Server URL. How to get it is big question for many, please follow the below steps to get the certificate,

  • Login to vCenter appliance SSH session (using putty).
  • Type in the command: openssl s_client -connect domainname:636 -showcerts

openssl s_client -connect -showcerts

  • Once you type you will get the below output.
  • Copy the complete string from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—–
  • Paste it in any of the Text editor and save the file as ldapcert.cer and when you are saving the file select Save as type: as all files
  • Now click on browse in the configuration Tab in vSphere client and the select the certificate file ldapcert.cer and click on Open.
  • Now your certificate will be added as below and now Click on Add,

7. Now the Active Directory as LDAPS is successfully configured.