CSP-93316 - Patch instructions to upgrade Java version
book
Article ID: 369294
calendar_today
Updated On:
Products
VMware Aria Suite
Issue/Introduction
This article provides important information for upgrading the Java version to fix the below vulnerabilities.
List of affected version
Product Component
Version(s)
Applicable CVE(s)
VMware Identity Manager Appliance
3.3.7
CVE-2024-20918
CVE-2024-20919
CVE-2024-20921
CVE-2024-20926
CVE-2024-20932
CVE-2024-20945
CVE-2024-20952
Environment
VMware Identity Manager 3.3.x
Resolution
Before You Begin:
It is recommended to upgrade instances of unsupported versions to newer, supported versions first before applying the patch. This procedure will not work for other versions. Please refer to the VMware Lifecycle Matrix https://lifecycle.vmware.com/ for the list of supported versions of the product.
It is strongly recommended to take a snapshot or backup of the Appliance(s) and the database server before applying the procedure.
It is strongly recommended to make sure below changes
a. Login to AD server. Open "Active Directory Users and Computers".
b. Right click and open properties of bind user.
i. Click on Account tab
ii. Under Account options: check below options
This account supports Kerberos AES 128 bit encryption.
This account supports Kerberos AES 256 bit encryption.
c. Open "Local Security Policy"
i. Security Settings -> Local Policies -> Security Options
ii. Double click on "Network Security: Configure encryption types allowed for Kerberos".
iii. Under "Local Security Setting: check below options.
Download and transfer CSP-93316-Appliance-3.3.7.zip to the virtual appliance. This zip file can be saved anywhere on the file system. VMware recommends SCP protocol to transfer the file to the appliance. Tools such as winscp can also be used to transfer the file to the appliance.
Navigate to the files within the unzipped folder using the command below.
cd CSP-93316-Appliance-3.3.7/CSP-93316-Appliance-3.3.7/
Run the patch script using below command
./CSP-93316-applyPatch.sh
Note: If you are running a cluster deployment, repeat the steps above on all additional nodes of the cluster.
Patch Deployment Validations:
After the patch deployment, perform below steps to confirm patch is applied successfully
Login as an Administrator to the VIDM Console and verify the System Diagnostics page is green.
If the patch is applied successfully you can find a flag file created as CSP-93316-3.3.7-hotfix.applied in the /usr/local/horizon/conf/flags directory.
Login as local administrator into the Service and navigate to Legacy Connector page.Click on the Worker link and check whether the auth adapters load under the "Auth Adapters" tab. Click on any Enabled auth adapter and check if the page opens correctly.
Perform Directory Sync to validate users/groups are synced.
Check in the UI portal, if the all tabs open properly, including the cfg page https://<vidm-hostname>:8443
Check the Admin Portal and the Connectors page shows the version as "3.3.7.0 Build 23103647"
Additional Information
To revert this patch, you can revert to the appliance(s) snapshot and the database backup taken before applying these steps.