Loading...
Loading...
OpenSLP vulnerabilities have been disclosed that affect ESXi. These vulnerabilities and their impact on VMware products are documented in the following VMware Security Advisories (VMSAs): VMSA-2021-0002 (CVE-2021-21972, CVE-2021-21973, CVE-2021-21974) VMSA-2020-0023 (CVE-2020-3981, CVE-2020-3982, CVE-2020-3992, CVE-2020-3993, CVE-2020-3994, CVE-2020-3995) VMSA-2019-0022 (CVE-2019-5544) CVE-2021-21974, VMware KB https://kb.vmware.com/s/article/76372 , suggests disabling SLP service as a workaround until the patch can be applied. Disabling SLP service will result in CIM clients not being able to locate the service over port #427. *Note : Disabling SLP service on ESXi hosts should not have any negative affect on PowerFlex Manager (PFxM) functionality. PFxM does not use SLP service for monitoring, inventory, or any other operations In limited lab testing, there was no observed impact of disabling the SLP service on ESXi hosts in an HCI service *Warning : If SLP service is disabled on all existing ESXi hosts in a PFxM Service, then a subsequent node expansion is performed, the new ESXi hosts will NOT have the SLP service disabled!
When PFxM Node add is performed and an existing node (resource) is duplicated, or new template is used, the ESXi hosts will have the default setting of SLP service enabled. PFxM does not duplicate settings at the level that this service is running at.
If the wanted result is to have the SLP service disabled, (adding a node to an existing service OR newly deployed service) you must perform manual steps to disable the SLP service after the node add is complete. Refer to steps in CVE-2021-21974, VMware KB https://kb.vmware.com/s/article/76372 1) Stop the SLP service on the ESXi host with this command: /etc/init.d/slpd stop Note : The SLP service can only be stopped when the service is not in use. Use the following command to view the operational state of the Service Location Protocol Daemon: esxcli system slp stats get 2) Run the following command to disable the SLP service: esxcli network firewall ruleset set -r CIMSLP -e 0 To make this change, persist across reboots: chkconfig slpd off To check if the change is applied across reboots: chkconfig --list | grep slpd Output: slpd off
Click on a version to see all relevant bugs
Dell Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.