Remediating VMSA-2022-0003 vulnerability in SDDC Manager
search cancel

Remediating VMSA-2022-0003 vulnerability in SDDC Manager

book

Article ID: 313537

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

VMware strongly recommends customers on these prior VCF  4.x versions, to upgrade to the VCF 4.3.1.1 release to remediate the vulnerabilities in this VMSA.

If customers are unable to do so, the purpose of this article is to provide guidance for such customers to follow the workaround as applicable

Affected Versions : 4.0.0.0, 4.0.0.1, 4.0.1.0, 4.0.1.1, 4.1.0.0, 4.1.0.1, 4.2.0.0, 4.2.1.0, 4.3.0.0, 4.3.1.0

The information contained in this article applies to customers on both VCF on VxRail, and VCF (vSAN Ready Nodes)

Symptoms:
As documented in VMSA-2022-0003, all versions of the VMware Cloud Foundation prior to 4.3.1.1 ( VCF 4.0.x.x, 4.1.x.x , 4.2.x.x, 4.3.0.0, 4.3.1.0 ) are affected by the vulnerabilities listed in the advisory.
The latest VCF version VCF 4.3.1.1 has the fix for the vulnerabilities listed in the advisory.

CVE-2022-22939 - VMSA-2022-0003

Environment

VMware Cloud Foundation 4.2.x
VMware Cloud Foundation 4.1
VMware Cloud Foundation 4.0.x
VMware Cloud Foundation 4.3.1.0
VMware Cloud Foundation 4.3

Cause

As documented in VMSA-2022-0003  all the VMware Cloud Foundation 4.x versions  prior to VCF 4.3.1.1 are affected by the vulnerabilities listed in the advisory

Resolution

VMware Cloud Foundation Versions

Upgrade Options If Upgrading to VCF 4.3.1.1 Is Not Possible

4.0.x

Follow the "VCF 4.0.x release" in the Workaround section of this article

4.1.x

Follow the "VCF 4.1.x release" in the Workaround section of this article

4.2.x

Follow the "VCF 4.2.x release" in the Workaround section of this article

4.3.x

Upgrade to VCF 4.3.1.1 as documented in VCF 4.3.1.1 Release Notes

 


Workaround:


VCF 4.0.x release

Pre-requisite:

  1. Ensure to be at VCF 4.0.1.1/upgrade to VCF 4.0.1.1
  2. Confirm there are no operations running in the SDDC Manager 
  3. Take powered ON Snapshot (deselect both - Include virtual machine's memory & Quiescing) of SDDC Manager VM from vCenter UI - KB1015180

Procedure

  1. Download 4.0.1.1 VMWare Cloud Foundation Configuration drift bundle with bundle id bundle-52866
  2. Navigate to the "Updates/Patches" tab of the management domain in SDDC Manager UI
  3. Run the upgrade precheck. See Perform Update Precheck
  4. In the "Available Updates" section, click "Update Now" next to the "VMWare Cloud Foundation Configuration drift bundle"
NOTE :- After the upgrade is completed, a green bar with a check mark is displayed.
  1. Remove snapshot taken as part of Pre-requisite section
  2. Perform password management (Password rotate / Manually update password) for all components

NOTE :- If the environment is running an ESXi custom build / HOT patch provided by VMware, Please contact VMware Technical Support for assistance.  

VCF 4.1.x release

Pre-requisite:

  1. Ensure to be at VCF 4.1.0.1/upgrade to VCF 4.1.0.1
  2. Confirm there are no operations running in the SDDC Manager 
  3. Take powered ON Snapshot (deselect both - Include virtual machine's memory & Quiescing) of SDDC Manager VM from vCenter UI - KB1015180

Procedure

  1. Download 4.1.0.1 VMWare Cloud Foundation Configuration drift bundle with bundle id bundle-52820
  2. Navigate to the "Updates/Patches" tab of the management domain in SDDC Manager UI.
  3. Run the upgrade precheck. See Perform Update Precheck
  4. In the "Available Updates" section, click "Update Now" next to the "VMWare Cloud Foundation Configuration drift bundle"
NOTE :- After the upgrade is completed, a green bar with a check mark is displayed.
  1. Remove snapshots taken as part of Pre-requisite section
  2. Perform password management (Password rotate / Manually update password) for all components
NOTE :- If the environment is running an ESXi custom build / HOT patch provided by VMware, Please contact VMware Technical Support for assistance.  


VCF 4.2.x release

Pre-requisite:

  1. Ensure to be at VCF 4.2.1.0/upgrade to VCF 4.2.1.0
  2. Confirm there are no operations running in the SDDC Manager 
  3. Take powered ON Snapshot (deselect both - Include virtual machine's memory & Quiescing) of SDDC Manager VM from vCenter UI - KB1015180

Procedure

  1. Download the patch.tar from the "Attachment" 
  2. SSH to the SDDC Manager VM as the "vcf" user and then issue the su command to switch to the root user
  3. Use a file transfer utility to copy the patch.tar file to the /tmp folder on the SDDC Manager VM
  4. Issue the following command to change to /tmp directory

root@sddc-manager [ /home/vcf ]# cd /tmp

  1. Issue the following command to untar the patch.tar file:

root@sddc-manager [ /tmp ]# tar -xvf patch.tar

  1. Issue the following command to apply the patch

root@sddc-manager [ /tmp ]# ./bin/run.sh

  1. Issue the following command to validate the version of the RPMs as follows:

root@sddc-manager [ /tmp ]# curl -X GET http://localhost/inventory/vcfservices | json_pp

Sample output

[
   {
      "id" : "f0c04887-dbf3-498a-b55a-12a28e668254",
      "version" : "1.5.14-vcf4210RELEASE-533",
      "description" : "VMware vCloud Foundation Multi-Site Management",
      "status" : "ACTIVE",
      "serviceUrl" : "http://127.0.0.1:7800/pantheon",
      "name" : "MULTI_SITE_SERVICE"
   },
   {
      "version" : "4.2.1-vcf4211RELEASE-19420580",
      "id" : "8991053d-235f-419d-b92b-d0c9fa1615a6",
      "name" : "DOMAIN_MANAGER",
      "status" : "ACTIVE",
      "description" : "Domain Manager",
      "serviceUrl" : "http://127.0.0.1/domainmanager"
   },
   {
      "version" : "4.2.1-vcf4211RELEASE-19420580",
      "id" : "bf7fa9d5-5c33-47c7-b19a-847152d9badb",
      "serviceUrl" : "http://127.0.0.1/lcm",
      "status" : "ACTIVE",
      "description" : "LCM",
      "name" : "LCM"
   },
   {
      "name" : "COMMON_SERVICES",
      "description" : "Platform services",
      "status" : "ACTIVE",
      "serviceUrl" : "http://localhost/commonsvcs",
      "id" : "cc4272e7-cca2-44d4-a54d-f9de1d7d1e39",
      "version" : "4.2.1-vcf4211RELEASE-19420580"
   },
   {
      "name" : "OPERATIONS_MANAGER",
      "serviceUrl" : "http://127.0.0.1/operationsmanager",
      "description" : "Operations Manager",
      "status" : "ACTIVE",
      "id" : "b0277ec5-19f4-4b6c-92f6-c36f285590d9",
      "version" : "4.2.1-vcf4211RELEASE-19420580"
   },
   {
      "name" : "SDDC_MANAGER_UI",
      "description" : "Sddc Manager UI App",
      "status" : "ACTIVE",
      "serviceUrl" : "http://127.0.0.1/sddc-manager-ui-app",
      "id" : "1c98dc06-db32-428a-a044-a1f57f6ef54f",
      "version" : "4.2.1-vcf4211RELEASE-19233172"
   }
]

  1. Remove snapshots taken as part of Pre-requisite section
  2. Perform password management (Password rotate / Manually update password) for all components
NOTE :- If the environment is running an ESXi custom build / HOT patch provided by VMware, Please contact VMware Technical Support for assistance.

Additional Information

  • This release also remediates log4j vulnerability VMSA-2021-0028 for SDDC Manager


Impact/Risks:
VMware recommends that the customer upgrade to the latest VCF release VCF 4.3.1.1 to remediate the vulnerabilities in this VMSA.

The purpose of this KB is to detail the workaround options available to customers, if the upgrade to the latest VCF release is not possible.

However, after remediating the environment, while planning a future upgrade, Customers should plan to upgrade to VCF 4.3.1.1 or later, to prevent a regression

Attachments

patch get_app
Powered by Wolken Software