Resolving the deserialization vulnerability for vRealize Orchestrator (CVE-2015-6934)

Products

VMware Aria Suite

Issue/Introduction

A deserialization vulnerability involving Apache Commons-collections and a specially constructed chain of classes exists. Successful exploitation could result in remote code execution, with the permissions of the application using the Commons-Collections library.

Environment

VMware vCenter Orchestrator 4.2.x
VMware vCenter Orchestrator 5.5.x
VMware vRealize Orchestrator 6.0.x
VMware vCenter Orchestrator 5.1.x

Resolution

To resolve this issue, download the attached patch and follow the steps:

<?xml:namespace prefix = "u9" /><u9:p>Note: The following procedure is also applicable to the embedded vRealize Orchestrator in vRealize Automation 6.2.x, vCloud Automation Center 6.1.x, and vCloud Automation Center 6.0.x.

For the Orchestrator Appliance 5.5.x and 6.0.x

Download the archive and extract the content.
Upload commons-collections-3.2.2.jar file to your appliance.
Use WinSCP for Windows and SCP for Linux.
Log in to the appliance console and replace commons-collections-3.2.1.jar file with commons-collections-3.2.2.jar file .
1. Stop the Orchestrator services:
  
  /etc/init.d/vco-server stop /etc/init.d/vco-configurator stop
2. Replace the commons-collections jar with commons-collections-3.2.2.jar by running the following commands:
  - For the Orchestrator server service:
    
    cp commons-collections-3.2.2.jar /var/lib/vco/app-server/deploy/vco/WEB-INF/lib/ rm /var/lib/vco/app-server/deploy/vco/WEB-INF/lib/commons-collections-3.2.1.jar chown vco:vco /var/lib/vco/app-server/deploy/vco/WEB-INF/lib/commons-collections-3.2.2.jar
  - For the Orchestrator configuration service:
    
    cp commons-collections-3.2.2.jar /var/lib/vco/configuration/lib/o11n/ rm /var/lib/vco/configuration/lib/o11n/commons-collections-3.2.1.jar chown vco:vco /var/lib/vco/configuration/lib/o11n/commons-collections-3.2.2.jar
3. Start the Orchestrator services:
  
  /etc/init.d/vco-server start /etc/init.d/vco-configurator start
Verify that Orchestrator is running as expected.

For the Orchestrator standalone Windows installation 5.5.x and 6.0.x

Download the archive and extract the content.
Replace commons-collections-3.2.1.jar with commons-collections-3.2.2.jar.
1. Stop the Orchestrator services from the Windows command prompt:
  
  net stop vCOConfiguration net stop VMwareOrchestrator
2. Replace commons-collections-3.2.1.jar with commons-collections-3.2.2.jar in the following locations:
  
  orchestrator_install_folder\app-server\deploy\vco\WEB-INF\lib\
  
  orchestrator_install_folder\configuration\lib\o11n\
3. Start the Orchestrator services:
  
  net start vCOConfiguration net start VMwareOrchestrator
Verify that Orchestrator is running as expected.
Repeat the steps for every embedded Orchestrator server instance.

For the Orchestrator Appliance 4.2.x and 5.1.x

Download the archive and extract the content.
Upload commons-collections-3.2.2.jar to your appliance.
Use WinSCP for Windows and SCP for Linux.
Log in to the appliance console and replace commons-collections.jar with commons-collections-3.2.2.jar.
1. Stop the Orchestrator services:
  
  /etc/init.d/vcod stop /etc/init.d/jettyd stop
2. Back up the current commons-collection JAR file.
  cp /opt/vmo/app-server/server/vmo/lib/commons-collections.jar ./
3. Replace the commons-collections jar with commons-collections-3.2.2.jar by running the following commands:
  - For the Orchestrator server service:
    
    rm /opt/vmo/app-server/server/vmo/lib/commons-collections.jar cp commons-collections-3.2.2.jar /opt/vmo/app-server/server/vmo/lib/ chown vco:vco /opt/vmo/app-server/server/vmo/lib/commons-collections-3.2.2.jar
  - For the Orchestrator configuration service:
    
    rm /opt/vmo/configuration/jetty/lib/ext/commons-collections.jar cp commons-collections-3.2.2.jar /opt/vmo/configuration/jetty/lib/ext/ chown vco:vco /opt/vmo/configuration/jetty/lib/ext/commons-collections-3.2.2.jar
4. Start the Orchestrator services:
  
  /etc/init.d/vcod start /etc/init.d/jettyd start
Verify that Orchestrator is running as expected.

For the Orchestrator standalone Windows installation 4.2.x and 5.1.x

Download the archive and extract the content.
Replace commons-collections.jar with commons-collections-3.2.2.jar.
1. Stop the Orchestrator services from the Windows command prompt:
  
  net stop vCOConfiguration net stop VMwareOrchestrator
2. Back up and replace commons-collections.jar with commons-collections-3.2.2.jar in the following locations:
  
  orchestrator_install_folder\app-server\server\vmo\lib\commons-collections.jar orchestrator_install_folder\configuration\jetty\lib\ext\commons-collections.jar
3. Start the Orchestrator services:
  
  net start vCOConfiguration net start VMwareOrchestrator
Verify that Orchestrator is running as expected.
Repeat the steps for every embedded Orchestrator server instance.

Revert the changes

You can revert the changes if you find a problem with Orchestrator, after you applied the JAR file.

For the Orchestrator Appliance 5.5.x and 6.0.x

Stop the Orchestrator services:

$ /etc/init.d/vco-server stop $ /etc/init.d/vco-configurator stop
Add the following system property:

-Dorg.apache.commons.collections.enableUnsafeSerialization=true to the JVM_OPTS property files located in /var/lib/vco/app-server/bin/setenv.sh and /var/lib/vco/configuration/bin/setenv.sh.
Start the Orchestrator services:

/etc/init.d/vco-server start /etc/init.d/vco-configurator start

For the Orchestrator standalone Windows installation 5.5.x and 6.0.x

Stop the Orchestrator services from the Windows command prompt:

net stop vCOConfiguration net stop VMwareOrchestrator
Add wrapper.java.additional.[next number]="-Dorg.apache.commons.collections.enableUnsafeSerialization=true" to the Java Additional Parameters section, located in the following files:

orchestrator_install_folder\app-server\bin\wrapper.conf

orchestrator_install_folder\app-server\bin\wrapper-auto.conf

orchestrator_install_folder\configuration\bin\wrapper.conf

orchestrator_install_folder\configuration\bin\wrapper-auto.conf
Start the Orchestrator services:

net start vCOConfiguration net start VMwareOrchestrator

For the Orchestrator Appliance 4.2.x and 5.1.x

Stop the Orchestrator services:

/etc/init.d/vcod stop /etc/init.d/jettyd stop
Add the following system property:

wrapper.java.additional.[next number]="-Dorg.apache.commons.collections.enableUnsafeSerialization=true" to the property files located in /opt/vmo/app-server/bin/wrapper.conf and /opt/vmo/configuration/jetty/jetty-service.conf.
Start the Orchestrator services:

/etc/init.d/vcod start /etc/init.d/jettyd start

For the Orchestrator standalone Windows installation 4.2.x and 5.1.x

Stop the Orchestrator services from the Windows command prompt:

net stop vCOConfiguration net stop VMwareOrchestrator
Add wrapper.java.additional.[next number]="-Dorg.apache.commons.collections.enableUnsafeSerialization=true" to the Java Additional Parameters section, located in the following files:

orchestrator_install_folder\app-server\bin\wrapper.conf orchestrator_install_folder\configuration\jetty-service.conf
Start the Orchestrator services:

net start vCOConfiguration net start VMwareOrchestrator

Recognize if there is an attempt of using forbidden classes in commons-collections

If something tries to use forbidden classes, a warning is saved in the Orchestrator log, which is similar to the following example:

WARN {} [Filter] Throwable thrown during doFilter on request with URI: /vco/webremoting/vcofactory.service and Query: nullSerialization support for org.apache.commons.collections.functors.InvokerTransformer is disabled for security reasons. To reenable the support, you must set the org.apache.commons.collections.enableUnsafeSerialization system property to true, but you must ensure that your application does not deserialize objects from untrusted sources.

</u9:p>

Attachments

commons-collections-3.2.2-bin.zip get_app