HW-150541: VMSA-2021-0028, VMSA-2021-0030 for VMware Identity Manager (CVE-2021-44228, CVE-2021-45046, CVE-2021-22056)
search cancel

HW-150541: VMSA-2021-0028, VMSA-2021-0030 for VMware Identity Manager (CVE-2021-44228, CVE-2021-45046, CVE-2021-22056)

book

Article ID: 336781

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

CVE-2021-44228, CVE-2021-45046, and CVE-2021-22056 have been determined to affect some releases of VMware Identity Manager. This vulnerability and its impact on VMware products are documented in VMSA-2021-0028 and VMSA-2021-0030.
  
Affected Product Versions
  

Product Component 

Version(s) 

VMware Identity Manager Appliance 

3.3.5 

VMware Identity Manager Appliance 

3.3.4 

VMware Identity Manager Appliance 

3.3.3 

  
 

Impacted Product Suites 
 
vRealize Suite Automation Lifecycle Manager (vRSLCM) 8.x: vRSLCM product suite can be impacted. If vIDM is used within the vRSLCM environment, follow this knowledge base article, and apply the patch directly to the vIDM appliance/s. 
 
VMware Cloud Foundation (VCF) 4.x: VCF product suites can be impacted. If, vIDM is used within the VCF environment, follow this knowledge base article, and apply the patch directly to the vIDM appliance/s. 

 

 

Environment

VMware Identity Manager 3.3.x

Resolution

The patch addresses the vulnerability identified against the reported CVEs: CVE-2021-44228, CVE-2021-45046, and CVE-2021- 22056.   
 
Before You Begin: 

  • It is recommended to upgrade instances of unsupported versions to a newer supported version before applying the patch. This procedure will not work for unsupported versions. Please refer to the VMware Lifecycle Matrix https://lifecycle.vmware.com/ for the list of supported versions of the product. 

  • It is strongly recommended to take a snapshot or backup of the Appliance(s) and the database server before applying the procedure 

  • Download the patches: 

Product Component 

Version(s) 

VMware Identity Manager Appliance 

3.3.5  

VMware Identity Manager Appliance 

3.3.4 

VMware Identity Manager Appliance 

3.3.3  

 

Install the patch to address the vulnerability identified against the reported CVEs. 

 
The patch can be deployed independently and will not require all appliances to be offline at the same time. Therefore, the deployment of the patch can be accomplished in a rolling fashion without taking the entire Workspace ONE Access/vIDM environment offline. 
 
Note: This patch can be applied to the appliance regardless of any previous workaround and patches applied to the appliance and will not impact the installation of this patch. 
 
Patch Deployment  Procedure: 
 

  1. Login as sshuser, sudo to root level access. 

  1. Download and transfer HW-150541-Appliance-<appliance version>.zip to the virtual appliance. This zip file can be saved anywhere on the file system. VMware recommends SCP protocol to transfer the file to the appliance. Tools such as winscp can also be used to transfer the file to the appliance. 

  1. Unzip the file using the command below. 
    # unzip HW-150541-Appliance-<appliance version>.zip (for example: unzip HW-150541-Appliance-3.3.5.zip) 

  2. Navigate to the files within the unzipped folder using the command below. 
    # cd HW-150541-Appliance-<appliance version> 

  3. Run the patch script using below command 

# ./HW-150541-applyPatch.sh
 

  1. Download the attached elasticSearchServicePatch.sh script and run as follows
# chmod +x elasticSearchServicePatch.sh
# ./elasticSearchServicePatch.sh

  1. Note: If you are running a cluster deployment, repeat the steps above on all additional nodes of the cluster. 

Note: If the patch is applied on vRLCM deployed single node appliance, and then the scaleout operation is performed.
After scaleout process is completed, follow the steps below on scaled nodes to remove the applied file, and then apply the patch, by repeating the above steps 1 through 6.

# cd /usr/local/horizon/conf/flags/
# rm -f HW-150541-Appliance-<appliance version>.applied
 


 

Patch Deployment Validations: 

 

After the patch deployment, perform below steps to confirm patch is applied successfully. 

  1. To validate Log4J version. Execute the below command from the appliance to ensure log4j is running with the version 2.16.0 (except for log4j-over-slf4j-1.7.30.jar and /opt/vmware/elasticsearch/lib/log4j-core-*.jar in elastic search). 
    # find /opt/vmware/certproxy /opt/vmware/horizon -iname "log4j*.jar" 

  2. Login as Administrator and verify the Diagnostics health status is Green.  

  3. The Patch script will backup the updated artifacts in the folder /var/HW-150451-patchBackup , Once the Validations are done , please cleanup the backup with the script cleanupBackup.sh
      a. cd HW-150541-Appliance-<appliance version>
      b. Run the cleanup script using below command from Terminal
         # ./cleanupBackup.sh

  4. After all validations are completed, run the below command to remove the patch .zip and extracted files

# rm -rf HW-150541-Appliance-<appliance version>.zip HW-150541-Appliance-<appliance version>
(for example: rm -rf HW-150541-Appliance-3.3.5.zip HW-150541-Appliance-<appliance version>)



Note: If you upgrade the appliance to a later version, you will need to reapply the corresponding patch version on all the nodes. 

 

Additional Information

To revert this patch, you can revert to the appliance(s) snapshot and the database backup taken before applying these steps. 

Please refer to Operational Verification of Workspace ONE Access documentation in the VMware Validated Design for recommended procedures. 

Change Log:
December 20, 2021 PST: Added steps to remove large patch zip files & extracted zip files after patch procedure, and added note for vRLCM deployment

 

Attachments

elasticSearchServicePatch get_app
Powered by Wolken Software