This post describes how to properly patch/fix the JMX security issue in vCenter Server (CVE-2015-2342) to make sure you are protected from the remote code execution described in VMSA-2015-0007.3, which is an update of the original VMSA-2015-0007 security bulletin from 2015-10-01.

Protection using a firewall:

The easiest way to get immediate protection for the remote code execution using this security issue is by protecting TCP port 9875 using a firewall. This will usually buy you enough time to plan the patching described below at a convenient time. The firewall port protection is already done for you if you are running vCenter Appliance version 5.1 or newer. In vCenter for Windows, just block the port in question using the Windows Firewall.

Patching the actual security issue:

If you’re running vCenter Server 6.0 (Appliance or Windows), just update it to version 6.0.0b or newer, and you’re covered.

If you are running vCenter Appliance 5.x, just make sure it’s updated to at least 5.5 Update 3 / 5.1 Update 3b /  5.0 Update 3e, respectively, and you’re covered.

However.. If you’re running vCenter Server 5.x on Windows, you need to take some additional manual steps inside the Windows machine. These are described in VMware KB article 2144428, and include replacing the C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\bin\service\conf\wrapper.conf for the vSphere Web Client, either manually or using a VB-script attached to the KB article. Just follow the instructions in the article, and you’re done.

You need to restart the vSphere Web Client web server, but not the entire vCenter Server service, so this is fairly easy to do in a planned service window during work hours (if your policy allows it).

Happy patching!