CSP-93316 - Patch instructions to upgrade Java version
search cancel

CSP-93316 - Patch instructions to upgrade Java version

book

Article ID: 369294

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

Patch Superseded

This patch (CSP-93316) has been superseded and is no longer available. Please install the latest cumulative update, CSP-102092, by following the instructions in KB 412021.

Vulnerabilities Addressed by This (Superseded) Patch

This article provides information on a previous patch (CSP-93316) that upgraded the Java version to fix the security vulnerabilities listed below.

Affected Product

  • VMware Identity Manager Appliance: 3.3.7

Applicable CVEs

CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20926, CVE-2024-20932, CVE-2024-20945, CVE-2024-20952

Environment

VMware Identity Manager 3.3.x

Resolution

Prerequisites (for Superseded Patch CSP-93316)

  • Version Support: It is recommended to upgrade any unsupported product versions to a supported version before patching. Please refer to the Broadcom Product Lifecycle Matrix for a list of supported versions.

  • Snapshots/Backups: It is strongly recommended to take a snapshot or backup of the appliance(s) and the database server before proceeding.

  • Configure Kerberos Encryption Types in Active Directory:
    1. Log in to your Active Directory server and open "Active Directory Users and Computers".
    2. Right-click the bind user, select Properties, and go to the Account tab.
      • Under "Account options", ensure the following options are checked:
        - This account supports Kerberos AES 128 bit encryption.
        - This account supports Kerberos AES 256 bit encryption.
    3. Open "Local Security Policy" on the server.
      • Navigate to Security Settings > Local Policies > Security Options.
      • Double-click on "Network Security: Configure encryption types allowed for Kerberos".
      • Under "Local Security Setting", ensure the following options are checked:
        - AES128_HMAC_SHA1
        - AES256_HMAC_SHA1
        - Future encryption types

Procedure (for Superseded Patch CSP-93316)

  1. Log in to the VMware Identity Manager appliance via SSH as sshuser and elevate to the root user with sudo su -.
  2. Download and transfer the CSP-93316-Appliance-3.3.7.zip file to a temporary location on the appliance.
  3. Unzip the file into a new directory: 
    unzip CSP-93316-Appliance-3.3.7.zip -d CSP-93316-Appliance-3.3.7
  4. Navigate into the patch directory (note the double folder structure): 
    cd CSP-93316-Appliance-3.3.7/CSP-93316-Appliance-3.3.7/
  5. Run the patch script: 
    ./CSP-93316-applyPatch.sh

Note: For a clustered deployment, repeat the steps above on all additional nodes sequentially.

Validation (for Superseded Patch CSP-93316)

After the patch deployment, perform the following steps to confirm it was applied successfully:

  1. Log in to the VMware Identity Manager Console and verify the System Diagnostics page shows a green status.
  2. Verify that the patch flag file has been created: 
    ls /usr/local/horizon/conf/flags/CSP-93316-3.3.7-hotfix.applied
  3. Verify Legacy Connector functionality by ensuring the Auth Adapters load and open without errors.
  4. Perform a Directory Sync and confirm that users and groups are synchronized correctly.
  5. Check that all UI portal tabs load properly, including the configuration page at https://<vidm-hostname>:8443.
  6. Confirm the new version on the Admin Portal and Connectors page is 3.3.7.0 Build 23103647.

Additional Information

To revert this patch, you can revert to the appliance(s) snapshot and the database backup taken before applying these steps.

Powered by Wolken Software