I normally don’t cover the various security patches that VMware releases for different vCenter versions, but this one rises to the level of code red (9.8 out of 10). Some outside groups discovered that if they had access to port 443 on the vCenter, they could get unrestricted access to the underlying operating system. This is achieved through VMware’s vSAN plugin. The problem is that even if you don’t use vSAN, the vulnerability is still there.
So what do I do? Patch the vCenter is the best option. This issue impacts vCenter 6.5, 6.7, and 7.0. You can read about it here: https://www.vmware.com/security/advisories/VMSA-2021-0010.html. If you can’t immediately patch the vCenter, and you don’t use vSAN, then you can disable the vSAN plugin instead. A discussion of that is here: https://blogs.vmware.com/vsphere/2021/05/vmsa-2021-0010.html.
One final note, the vCenter patch may impact other third party plugins because of VMware’s changes to plug the security hole. I am not aware of issues with our plugins, for example VSI, but if I find out differently I’ll update here and we would have to produce a patch.