Latest vCenter and Latest Chrome = No Love

Yesterday I first noticed this Flash plugin crash in my Chrome soon after I entered my vCenter credentials: “Shockwave Flash has crashed – Reload”.

I’m running vCenter Server Appliance 6.5 Update 1 (6.5.0.10100 Build Number 6671409) and Chrome Version 61.0.3163.100 (Official Build) (32-bit). Initially I thought this is something related to my setup, I reverted to the old Internet Explorer to do my job, and I forgot about the error.

This morning I saw this Twitter thread started by William Lam:

I thought it was just me, but apparently other folks reporting Flash crashing immediately w/Flash Web Client on latest Chrome. Anyone else? pic.twitter.com/8RWbyPGLG4

— William Lam (@lamw.bsky.social | @[email protected]) (@lamw) October 15, 2017

And then I realized it’s not my setup issue anymore. Reports are coming across multiple operating systems (Windows and OSX), multiple products interfaces (vCenter and vCloud Director).

What can you do at this moment? Switch to Firefox, Safari (both removed from list due to new updates causing same Flash error), Internet Explorer, Edge or something else.

UPDATE – 16 October 2017

William Lam published a blog post with details on the issue (new Flash version distributed by Chrome) and a possible workaround. It involves replacing current Flash version for Chrome with a previous one. Get more details here.

VMware also published KB2151945. Details are scarce, basically saying “VMware is currently investigating this issue. Currently there is no resolution”. VMware updated the KB and provided similar workarounds as William previously posted on his blog.

UPDATE 2 – 16 October 2017

To make thinks worse (or better?), Adobe released a security bulletin regarding the new Flash version.

Adobe has released a security update for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. This update addresses a critical type confusion vulnerability that could lead to code execution.

Adobe is aware of a report that an exploit for CVE-2017-11292 exists in the wild, and is being used in limited, targeted attacks against users running Windows.

Adobe’s recommendation is to install Flash Player 27.0.0.170 as priority 1 (this is the version installed by the latest Chrome, Firefox and Safari).

So now, we have a choice, we stay secure with the updated version and wait for a fix from VMware, or we accept the security risks and we revert to an old Flash version.

UPDATE 3 – 17 October 2017

One Adobe employee posted few technical details on Adobe forum:

For background, to address the security issue discovered in the wild that prompted this release [1], we more tightly enforce rules in the initial validation of the SWF bytecode. For some reason, the SWF that VMWare uses is failing those validation checks.

I see two potential solutions: one is that Adobe will allow SWF to run after this type of failure (more likely), second one is for VMware to resolve the actual error from the SWF (less likely).

UPDATE 4 – 19 October 2017

Adobe released Flash Player 27 Beta (27.0.0.180) which contains the fix for this issue. Release Notes for this version lists this fix:

Flashplayer quits unexpectedly when logging into VCD (Virtual Cloud) Portal(FP-4198649, FP-4198655, FP-4198654, FP-4198653)

After installing the beta version, I was able to load vSphere Web Client. No side effect so far 🙂

UPDATE 5 – 19 October 2017

Adobe released Flash Player 27.0.0.183 which resolves the initial issue. You can download it from normal location: https://get.adobe.com/flashplayer/.