Security Bulletin: Vulnerability identified in VMware component affects Cloud Pak System (CVE-2021-21974)

Workarounds and Mitigations

The workaround and mitigations are for the IBM Cloud Pak System v2.3.3.0, v2.3.3.3, v2.3.3.3 Interim Fix 1.

For OpenSLP as used in ESXi has a heap-overflow issue (CVE-2021-21974), consult KB76372.

Follow these steps to apply or revert the workaround when needed.

Pre-requisites:

1. Customer should be running on either v.2.3.3.0, v2.3.3.3, or v2.3.3.3 Interim Fix 1 release.
2. MKS External Console IP should be configured in Cloud Pak System for customer to access ESXi via ssh. (https://www.ibm.com/docs/en/cloud-pak-system-w3550/2.3.3?topic=groups-adding-ip)
3. The Cloud Pak System user interface credential to login and retrieve Compute node credentials.
4. External application users needed with everyone privileges created and grant to access Compute nodes ( https://www.ibm.com/docs/en/cloud-pak-system-w3550/2.3.3?topic=applications-configuring-external-application-access )

Solution:

Since this vulnerability is on SLP, workaround solution is to disable SLP on all Compute nodes.

Instruction to implement the workaround:

To implement the workaround for CVE-2021-21974 on ESXi Servers, do the following steps:

1. Select a compute node, login to it using the MKS external console IP and the external application users that has access to compute nodes via ssh.
2. Check the status of SLP service on the ESXi host by running the following command:
   /etc/init.d/slpd status
3. Stop the SLP service on the ESXi host with this command:
   /etc/init.d/slpd stop
4. Run the following command to check if SLP service is still in use or not.
   esxcli system slp stats get
5. Check the status of SLP service on the ESXi host by running the following command:
   /etc/init.d/slpd status
6. Run the following command to disable the SLP service:
   esxcli network firewall ruleset set -r CIMSLP -e 0
7. Run the following command to make this change persist across reboots:
   chkconfig slpd off
8. Run the following command to check if the change is applied across reboots:
   chkconfig --list | grep slpd
   output: slpd off
9. Exit to disconnect from the ssh session of the compute node.

Run the above steps on all the compute nodes where the workaround needs to be implemented.

Note: Once you apply this workaround, it will persist across compute node reboots. However, if you need to re-initialize the compute node, you must apply the workaround again.

Instruction to remove the implemented workaround:

To remove the workaround that is implemented for CVE-2021-21974 on ESXi Servers, do the following steps:

1. Select a compute node, log in to it using the MKS external console IP and the external application users that has access to compute nodes via ssh.
2. Run the following command to check if SLP service is in use or not.
   esxcli system slp stats get
3. Run the following command to enable the ruleset of SLP service:
   esxcli network firewall ruleset set -r CIMSLP -e 1
4. Run the following command to change the current startup information of slpd service:
   chkconfig slpd on
5. Run the following command to check if the change is applied after running the above step (Step 2#):
   chkconfig --list | grep slpd
   output: slpd on
6. Run the following command to start the SLP service:
   /etc/init.d/slpd start
7. Check the status of SLP service on the ESXi host by running the following command:
   /etc/init.d/slpd status
8. Restart CIM agent by running the following commands:
   /etc/init.d/sfcbd-watchdog status
   /etc/init.d/sfcbd-watchdog restart
   /etc/init.d/sfcbd-watchdog status
9. Exit to disconnect from the ssh session of the compute node.

Do the above steps on all the compute nodes where workaround needs to be reverted.