Workaround Instructions for CVE-2021-3449 and CVE-2021-3450 on UAG
search cancel

Workaround Instructions for CVE-2021-3449 and CVE-2021-3450 on UAG

book

Article ID: 342610

calendar_today

Updated On:

Products

VMware

Issue/Introduction

The VMware Unified Access Gateway team has investigated OpenSSL 1.1.1 vulnerabilities CVE-2021-3449 and CVE-2021-3450 and have determined that the possibility of exploitation can be removed by upgrading to Unified Access Gateway version 2103.1. Details of these vulnerabilities can be found at the OpenSSL Advisory - OpenSSL Security Advisory [25 March 2021]


Environment

Unified Access Gateway 2012
Unified Access Gateway 3.10
Unified Access Gateway 2103
Unified Access Gateway 2009

Resolution



Workaround:

If an immediate deployment of Unified Access Gateway version 2103.1 is not possible and the appliance has access to the Internet, then the steps documented below for versions 3.10, 2009, 2009.1, 2012 and 2103 can be used as a temporary measure until the deployment of version 2103.1 can be scheduled.

These workaround steps will result in a restart of the main esmanager process on Unified Access Gateway and will therefore be disruptive to any users currently logged on.

Steps to workaround the issue:

Login to the Unified Access Gateway console as "root". At the command prompt, run the following 3 commands. Note that the first command takes a few minutes to run, allow it to complete before going on to the other commands.

tdnf makecache
tdnf -y update nxtgn-openssl-1.1.1j-2.ph3.x86_64
supervisorctl restart esmanager

 


Additional Information

Impact/Risks:
Product Versions: Unified Access Gateway versions 3.10, 2009, 2009.1, 2012 and 2103 are affected. Versions earlier than 3.10 do not use this OpenSSL version and are therefore not impacted.