Critical security patch for vCenter Server (VMSA-2020-006)

VMware has released a critical security patch for vCenter Server 6.7 named VMSA-2020-006. It has a CVSS score of 10, which is all you really need to know to get a sense of the urgency to install this patch. The short version of our recommendation is therefore that you should patch as soon as possible.

The basics:

The security vulnerability only affects vCenter Servers on version 6.7 that have previously been upgraded from 6.0 or 6.5, but our recommendation is to patch your installation regardless of whether it’s a clean installation or not. That way you can be more certain, and anyone can verify that your vCenter Server is safe against this vulnerability just by looking at the version.

The easiest way to upgrade is through the VAMI interface, which you can reach at https://<vCenter Server IP>:5480/ – From there, go to the ‘Upgrade’ tab and stage and install the patch (if your vCenter Server has internet access, which we don’t recommend). The PSC/vCenter Server will be unavailable for a couple of minutes while it upgrades and reboots, but usually not as long as the upgrade UI suggests (see screenshot below).

That was the short version. If you’re interested in some more details, keep reading. If not, go patch your systems.

The details:

The vulnerability affects both the VCSA and the Windows version of vCenter Server, and it doesn’t matter whether you have an external or an embedded PSC.

The patch upgrades your vCenter Server to version 6.7u3f (6.7.0.4300)

If you want to avoid being exposed to vulnerabilities such as this one in the future, do consider implementing network segmentation and separating administrators from users. This is included in our standard customer architecture.

You can try to validate whether your vCenter Server is vulnerable or not by looking for a particular log message, but as mentioned, our recommendation is to patch regardless of this. See screenshot below for a check that validates that our lab vCenter Server either does not have the vulnerability or doesn’t have the log message in particular in the log: