It seems like a new security exploit is being discovered and release weekly for some most products. I get it that some people have a lot of time on their hands these days. The newest exploit, VMSA-2021-0014, if you aren’t looking to upgrade again after the previous exploit then the workaround is your best solution to keeping your environment safe for now.
So for this workaround as stated by the VMware KB (1025757), you just need to disable the SFCB (Small Footprint CIM Broker) service on your ESXi hosts. This in itself is quite straight forward. Query the VMhost for the services, find the correct name of the SFCB service, then stop and disable the policy.
Get-VMhost | Select -First 1 | Get-VMHostService
Running this command returns all of the services on the VMhost. (Output has been manually parse to only show the needed service)
Key Label Policy Running Required --- ----- ------ ------- -------- sfcbd-watchdog CIM Server on True False
Now that the name of the service is known, sfcbd-watchdog, it can be targeted to be disabled.
Get-VMhost VMhost_Name_Here | Get-VMHostService | Where Key -eq "sfcbd-watchdog" | Stop-VMHostService -confirm:$false
This command will only stop the server. If you were to reboot the host, depending how the policy is configured the server would start back up. So the policy needs to be changed.
Get-VMhost VMhost_Name_Here | Get-VMHostService | Where Key -eq "sfcbd-watchdog" | Set-VMHostService -Policy Off
Now that we have figured out the per VMhost configuration changes, it can be modify to update a cluster at a time by adding Get-Cluster ClusterName at the beginning of the line then pipe to the rest of the command like the command below.
Get-Cluster ClusterName | Get-VMhost | Get-VMHostService | Where Key -eq "sfcbd-watchdog" | Stop-VMHostService -confirm:$false Cet-Cluster ClusterName | Get-VMhost | Get-VMHostService | Where Key -eq "sfcbd-watchdog" | Set-VMHostService -Policy Off
Now with this workaround in place, you have the time to start planning your vCenter upgrade.