CVE-2023-20884 has been determined to impact Workspace ONE Access (VMware Identity Manager). These vulnerabilities and their impact on VMware products are documented in the following VMware Security Advisory (VMSA-2023-0011). please review this document before continuing.

Impacted Product Suites  
 
vRealize Suite Automation Lifecycle Manager (vRSLCM) 8.x: vRSLCM product suite can be impacted. If vIDM is used within the vRSLCM environment, follow this knowledge base article, and apply the patch directly to the vIDM appliance(s).  
 
VMware Cloud Foundation (VCF) 4.x: VCF product suites can be impacted. If vIDM is used within the VCF environment, follow this knowledge base article, and apply the patch directly to the vIDM appliance(s). 

List of affected versions

Install the patch relevant to your version of WS1 Access from the table below to address the vulnerabilities noted in this document. No workaround is available for these vulnerabilities.

Before You Begin:

• It is recommended to upgrade instances of unsupported versions to a newer supported version before applying the patch. This procedure will not work for unsupported versions. Please refer to the Product Lifecycle for the list of supported versions of the product.

• It is strongly recommended to take a snapshot or backup of the Appliance(s) and the database server before applying the procedure.

• Download the patches:

NOTE:

• The patch can be deployed independently and will not require all appliances to be offline at the same time. Therefore, the deployment of the patch can be accomplished in a rolling fashion without taking the entire Workspace ONE Access environment offline.

• This patch can be applied to the appliance regardless of any previous patches applied to the appliance and will not impact the installation.

• If you are running a cluster deployment, repeat the deployment steps on each additional node of the cluster.

• To revert this patch, you can revert to the appliance(s) snapshot and the database backup taken before applying these steps.

Patch Deployment Procedure:

1. Login as sshuser, sudo to root level access.
2. Download and transfer HW-170932-Appliance-<Version>.zip to the virtual appliance. This zip file can be saved anywhere on the file system. VMware by Broadcom recommends SCP protocol to transfer the file to the appliance. Tools such as WinSCP can also be used to transfer the file to the appliance. 
3. Unzip the file using the command below.

unzip HW-170932-Appliance-<Version>.zip

4. Navigate to the files within the unzipped folder using the command below. 

cd HW-170932-Appliance-<Version>

5. Run the patch script using the command below:

./HW-170932-applyPatch.sh

Patch Deployment Validations:

1. Login as an Administrator to the Workspace ONE Access Console and verify the System Diagnostics page is green.

2. If the patch is applied successfully, you can find a flag file created as HW-170932-<version-number>-hotfix.applied (ex: HW-170932-22.09.1.0-hotfix.applied) in /usr/local/horizon/conf/flags directory.

To revert this patch, you can revert to the appliance(s) snapshot and the database backup taken before applying these steps. 

NOTE:

If you're encountering a certificate authentication login issue with version 22.09.1.0, please download the HW-182351-Appliance-22.09.1.0.zip file and follow the instructions in the included README to apply the patch.

Change Log:
15th Jun 2023: Added note to download additional patch for cert auth login issue