Vulnerabilities Addressed by This (Superseded) Patch

This article provides information on a previous patch (CSP-96928) that upgraded the Photon OS library, Tomcat, and RabbitMQ server to fix the security vulnerabilities listed below.

Affected Product

• VMware Identity Manager Appliance: 3.3.7

Applicable CVEs

CVE-2016-10195, CVE-2023-24998, CVE-2023-28708, CVE-2023-28709, CVE-2023-34981, CVE-2023-41080, CVE-2023-42794, CVE-2023-42795, CVE-2023-44487, CVE-2023-45648, CVE-2023-46589, CVE-2024-24549, CVE-2024-23672

VMware Identity Manager 3.3.x

Before You Begin:

1. It is recommended to upgrade instances of unsupported versions to newer, supported versions first before applying the patch. This procedure will not work for other versions. Please refer to the Broadcom Lifecycle Matrix for the list of supported versions of the product.
   
   
2. It is strongly recommended to take a snapshot or backup of the Appliance(s) and the database server before applying the procedure.
   
   
3. Verify the permission of /usr/local/horizon/conf/flags folder, it should be 777 for the patch to apply successfully.
   
   
4. Please apply the latest patch (CSP-99024-Appliance-3.3.7) or Follow the below steps post application of the patch if the latest patch could not be applied.
   
   Step 1. Copy the file attached in /tmp 
   
   Step 2. Run the below command 
   
   rpm -ivh --force --nodigest --nosignature ntp-4.2.8p16-1.ph3.x86_64.rpm
rpm -e ntp-4.2.8p14-4.ph3.x86_64 --nodeps
   
   Step 3. Reboot the node sequentially.
   
   

Patch Deployment Procedure:

1. Login as sshuser, sudo to root level access
   
   
2. Check current rabbimq version and feature flag settings by commands below:
   
   /usr/lib/rabbitmq/lib/rabbitmq_server-<version>/sbin/rabbitmqctl version
/usr/lib/rabbitmq/lib/rabbitmq_server-<version>/sbin/rabbitmqctl list_feature_flags

   If the rabbitmq version is prior to (not including) 3.11.x and feature flags are disabled, all features flags should be set to enabled before patch installation, in which rabbitmq 3.11.18 is inclused.

Refer to the documentation below:

   Required feature flags in RabbitMQ 3.11.0

   "If the feature flags are not enabled, RabbitMQ 3.11.0+ will refuse to start."

   So commands below should be executed to enable all features flags then validate the settings:
   
   /usr/lib/rabbitmq/lib/rabbitmq_server-<version>/sbin/rabbitmqctl enable_feature_flag all
/usr/lib/rabbitmq/lib/rabbitmq_server-<version>/sbin/rabbitmqctl list_feature_flags

   The result should be as below, all flags are enabled:
   
   root@##### [ ~ ]# /user/lib/RabbitMQ/lib/rabbitmq_server-3.10.7/sbin/rabbitmqctl list_feature_flags
Listing feature flags ...
name    state
classic_mirrored_queue_version    enabled
drop_unroutable_metric    enabled
empty_basic_get_metric    enabled
implicit_default_bindings    enabled
maintenance_mode_status    enabled
quorum_queue    enabled
stream_queue    enabled
user_limits    enabled
virtual_host_metadata    enabled
   
   
3. Download and transfer CSP-96928-Appliance-3.3.7.zip to the virtual appliance. This zip file can be saved anywhere on the file system. Broadcom recommends SCP protocol to transfer the file to the appliance. Tools such as Winscp can also be used to transfer the file to the appliance.
   
   
4. Unzip the file using the command below.
   unzip CSP-96928-Appliance-3.3.7.zip -d CSP-96928-Appliance-3.3.7
   
   
5. Navigate to the files within the unzipped folder using the command below.
   cd CSP-96928-Appliance-3.3.7.zip
   
   
6. Run the patch script using the below command
   ./CSP-96928-applyPatch.sh
   
   
7. In the case of vIDM 3 node Cluster, if the LCM version is less than 8.14.0 and the cluster seems down after the patch deployment, the user will have to follow the KB (https://knowledge.broadcom.com/external/article/367175) after application of the patch on all the 3 nodes.

Note: If you are running a cluster deployment, repeat the steps above on all additional nodes of the cluster.

Patch Deployment Validations:

After the patch deployment, perform the below steps to confirm the patch has been applied successfully

1. Login as an Administrator to the VIDM Console and verify the System Diagnostics page is green.
   
   
2. If the patch is applied successfully you can find a flag file created as CSP-96928-3.3.7-hotfix.applied in the /usr/local/horizon/conf/flags directory.
   
   
3. Login as a local administrator into the Service and navigate to the Legacy Connector page. Click on the Worker link and check whether the auth adapters load under the "Auth Adapters" tab. Click on any Enabled auth adapter and check if the page opens correctly. 
   
   
4. Perform Directory Sync to validate users/groups are synced.
   
   
5. Check in the UI portal, if all tabs open properly, including the cfg page https://<vidm-hostname>:8443
   
   
6. Check the Admin Portal and the Connectors page shows the version as "3.3.7.0 Build 23103647"

Note: 

• If you are running a cluster deployment, repeat the steps above on all additional nodes of the cluster.
  
  
• Patch application should be sequential i.e Primary -> Secondary -> Secondary Nodes
  
  
• User needs to run Remediate action from LCM on the vIDM cluster if vRLCM version is 8.12.0 and below
  
  
• For vRLCM version 8.14.0 and above, Auto recovery would take care of the cluster health on reboot.
  
  
• This is a cumulative patch and this will perform an installation of other patches including CSP-95247, CSP-93316, CSP-91401, CSP-90495, HW-189454, and HW-170932.
  
  

Related Information:

To revert this patch, you can revert to the appliance(s) snapshot and the database backup taken before applying these steps.