Purpose
The vCloud Usage Meter team has investigated the impact vulnerabilities which require local access (such as local privilege escalation, local information disclosures, local denial of service, etc.) and determined that the product can be protected from these types of vulnerabilities by performing the steps detailed in this article. This workaround is meant to be a temporary solution only and permanent fixes will be released as soon as they are available.WarningThis workaround is applicable ONLY to vCloud Usage Meter 3.5, 3.6, and 3.6.1. Do not apply this workaround to other VMware products.Functionality ImpactsThis workaround is only necessary for users who have enabled SSH to perform upgrade data migration. By default, SSH is disabled and this workaround is not needed. However, if you have enabled SSH per documentation to perform a data migration, then use these steps to disable SSH. No metering functions will be impacted by the workaround. If you need to perform a data migration from the affected Usage Meter, then follow the documentation to enable SSH, and upon completion of migration, follow this workaround to disable SSH.
Resolution
To implement the workaround for vulnerabilities which require local access, perform the following best steps:
Log in via SSH or console as user usgmtr, then run su and enter the root password to become the root user.Once logged in as the root user, run the following command:
/usr/sbin/service sshd stop/usr/sbin/chkconfig sshd off
To confirm that the workaround has been correctly applied perform the following steps:Try to log in from any other machine using SSH to the above server. For example: ssh usgmtr@hostname and it will say that connection is refused.To revert the workaround:
Log in via console as user usgmtr, then run su and enter the root password to become the root user.Once logged in as the root user, run the following command to enable SSH:
/usr/sbin/service sshd start
If you want to enable SSH when you reboot Usage Meter appliance, run the following command:
/usr/sbin/chkconfig sshd on
Please note that enabling SSH is not required for normal operations of Usage Meter. It is only required for data migration.Example vulnerabilities that this workaround will be effective against:CVE-2017-5753, CVE-2017-5715, CVE-2017-5754
