CSP-99024: Patch instructions to upgrade Photon-OS Libraries
search cancel

CSP-99024: Patch instructions to upgrade Photon-OS Libraries

book

Article ID: 387748

calendar_today

Updated On:

Products

VMware

Issue/Introduction

This article provides important information for upgrading the Photon OS libraries to fix security vulnerabilities

List of affected version

Product Component  

Version(s)

Applicable CVE(s) 

VMware Identity Manager Appliance

3.3.7

CVE-2023-0054,CVE-2022-2819,CVE-2022-2946,CVE-2022-2264,CVE-2022-2286,CVE-2022-2287,CVE-2022-2289,CVE-2022-2304,CVE-2022-2343,CVE-2022-2345,CVE-2022-2580,CVE-2022-2581,CVE-2022-2849,CVE-2022-2980,CVE-2022-3016,CVE-2022-3037,CVE-2022-3234,CVE-2022-3235,CVE-2022-3296,CVE-2022-3297,CVE-2022-3705,CVE-2022-4293,CVE-2023-1170,CVE-2023-1175,CVE-2023-1264,CVE-2023-2609,CVE-2023-4735,CVE-2023-4738,CVE-2023-4750,CVE-2023-4752,CVE-2023-5344,CVE-2023-46246,CVE-2023-48231,CVE-2023-48233,CVE-2023-48235,CVE-2023-48706,CVE-2022-47024,CVE-2023-0049,CVE-2023-0051,CVE-2023-0433,CVE-2022-3324,CVE-2022-3520,CVE-2022-3591,CVE-2022-4292,CVE-2022-2288,CVE-2022-3256,CVE-2022-3278,CVE-2023-2610,CVE-2023-4734,CVE-2023-4751,CVE-2023-4733,CVE-2023-4781,CVE-2023-5441,CVE-2023-5535,CVE-2023-48234,CVE-2023-48236,CVE-2022-2257,CVE-2022-2284,CVE-2022-2285,CVE-2022-2344,CVE-2022-2522,CVE-2022-2571,CVE-2022-2598,CVE-2022-2816,CVE-2022-2817,CVE-2022-2845,CVE-2022-2862,CVE-2022-2874,CVE-2022-2889,CVE-2022-2923,CVE-2022-2982,CVE-2022-3099,CVE-2022-3134,CVE-2022-3153,CVE-2022-3352,CVE-2022-3491,CVE-2022-4141,CVE-2023-48237,CVE-2024-28085,CVE-2023-39804,CVE-2022-40897,CVE-2023-31124,CVE-2023-31130,CVE-2023-31147,CVE-2023-32067,CVE-2022-48564,CVE-2020-10735,CVE-2022-37454,CVE-2023-24329,CVE-2022-48560,CVE-2022-48565,CVE-2022-48566,CVE-2023-40217,CVE-2023-6597,CVE-2022-4304,CVE-2022-4450,CVE-2023-0286,CVE-2023-0464,CVE-2023-2650,CVE-2023-0215,CVE-2020-11080,CVE-2020-24370,CVE-2021-44647,CVE-2023-23454,CVE-2023-23559,CVE-2023-1076,CVE-2023-3212,CVE-2023-3776,CVE-2023-40283,CVE-2023-31085,CVE-2023-52620,CVE-2024-26642,CVE-2024-42284,CVE-2024-42301,CVE-2024-43858,CVE-2024-44998,CVE-2024-44999,CVE-2024-46673,CVE-2022-3303,CVE-2023-28466,CVE-2023-35001,CVE-2023-5717,CVE-2024-36971,CVE-2024-42154,CVE-2024-42224,CVE-2024-42271,CVE-2024-42285,CVE-2024-44987,CVE-2024-46674,CVE-2022-3424,CVE-2022-3628,CVE-2022-36280,CVE-2022-41218,CVE-2022-45934,CVE-2022-47929,CVE-2023-0266,CVE-2023-0394,CVE-2023-0458,CVE-2023-0461,CVE-2023-23455,CVE-2023-28328,CVE-2021-44879,CVE-2022-0480,CVE-2022-3061,CVE-2023-1073,CVE-2023-1074,CVE-2023-1077,CVE-2022-20166,CVE-2023-1206,CVE-2023-2007,CVE-2023-3390,CVE-2023-3609,CVE-2023-3611,CVE-2024-0607,CVE-2024-1086,CVE-2024-38538,CVE-2024-38588,CVE-2024-46722,CVE-2024-46723,CVE-2024-46738,CVE-2024-46743,CVE-2024-46747,CVE-2024-46800,CVE-2023-29469,CVE-2023-45322,CVE-2024-25062,CVE-2024-34459,CVE-2023-29499,CVE-2023-32611,CVE-2023-32636,CVE-2023-32643,CVE-2024-33601,CVE-2024-2961,CVE-2024-33599,CVE-2024-33600,CVE-2024-33602,CVE-2023-32665,CVE-2023-0361,CVE-2024-0553,CVE-2024-0567,CVE-2019-6470,CVE-2021-33294,CVE-2023-38545,CVE-2023-38039,CVE-2024-9681,CVE-2023-1786

 

 

Environment

VMware Identity Manager 3.3.x

Resolution

Before You Begin:

  1. It is recommended to upgrade instances of unsupported versions to newer, supported versions first before applying the patch. This procedure will not work for other versions. Please refer to the VMware Lifecycle Matrix https://support.broadcom.com/group/ecx/productlifecycle#/ for the list of supported versions of the product.
  2. It is strongly recommended to take a snapshot or backup of the Appliance(s) and the database server before applying the procedure.
  3. Please make sure at least 16GB of free space is available in the installation file path.
  4. The patch is compatible with the grub2 file. Use the following command to search for the grub file."ls -ltr /boot/grub" OR "ls -ltr /boot/grub2" (grub.cfg should be present in the output).If the grub.cfg file is missing or if grub is running below version 2.0, please update grub to version 2.0 before applying the patch. If you're unsure how to add or update the grub file, please contact the support team for assistance.

         Example: 

         

         

Patch Deployment Procedure:

  1. Login as sshuser, sudo to root level access
  2. Download and transfer CSP-99024-Appliance-3.3.7.zip to the virtual appliance. This zip file can be saved anywhere on the file system where sufficient space is available. (At least 5 GB, see Notes below). VMware recommends SCP protocol to transfer the file to the appliance. Tools such as Winscp can also be used to transfer the file to the appliance.
  3. Unzip the file using the command below.
    unzip CSP-99024-Appliance-3.3.7.zip -d CSP-99024-Appliance-3.3.7
  4. Navigate to the files within the unzipped folder using the command below.
    cd CSP-99024-Appliance-3.3.7
  5. Run the patch script using the below command
    ./CSP-99024-applyPatch.sh

Note: If you are running a cluster deployment, repeat the steps above on all additional nodes of the cluster.

Patch Deployment Validations:

After the patch deployment, perform the below steps to confirm the patch is applied successfully

  1. Login as an Administrator to the VIDM Console and verify the System Diagnostics page is green.
  2. If the patch is applied successfully you can find a flag file created as CSP-99024-3.3.7.0-hotfix.applied in the /usr/local/horizon/conf/flags directory.
  3. Login as a local administrator into the Service and navigate to the Legacy Connector page. Click on the Worker link and check whether the auth adapters load under the "Auth Adapters" tab. Click on any Enabled auth adapter and check if the page opens correctly. 
  4. Perform Directory Sync to validate that users/groups are synced.
  5. Check in the UI portal, if all tabs open properly, including the cfg page https://<vidm-hostname>:8443

Notes:  

  1. If you are running a cluster deployment, repeat the steps above on all additional nodes of the cluster.
  2. Patch application should be sequential i.e Primary -> Secondary -> Secondary Nodes
  3. The user needs to run the Remediate action from LCM on the vIDM cluster if vRLCM version is 8.12.0 and below
  4. For vRLCM version 8.14.0 and above, Auto recovery would take care of the cluster health on reboot.
  5. This is a cumulative patch and this will perform an installation of other patches including CSP-97727, CSP-96928, CSP-96928, CSP-95247, CSP-93316, CSP-91401, CSP-90495, HW-189454, and HW-170932.

  6. If  CSP-99024 is installed on GA release of vIDM 3.3.7 it will install all the fixes related to CSP-97727, CSP-96928-Appliance-3.3.7.zip, CSP-95247, CSP-93316, CSP-91401, CSP-90495, HW-189454, and HW-170932.  However,  it will not update the /usr/local/horizon/conf/flags directory that these hot fixes have been applied. 

    As noted it will only show CSP-99024 as applied in /usr/local/horizon/conf/flags directory this is a change to how cumulative patch applied previous for VIDM,  where each patch was installed in sequence. 

  7. Space requirements start at 5GB, but if it is an older deployment which has many previous patches applied it will likely need additional space.  Previous instances where 8GB available in the /tmp directory ran out of space if several previous patches had been applied (see below).  Newer deployments without multiple previous patches should be sufficient with the minimum 5GB.

    [~]# ls -l /usr/local/horizon/conf/flags
    -rw------- 1 root    root  0 Mar 18 15:05 CSP-90495-3.3.7.0-hotfix.applied
    -rw------- 1 root    root  0 Mar 18 15:06 CSP-91401-3.3.7.0-hotfix.applied
    -rw------- 1 root    root  0 Mar 18 15:07 CSP-93316-3.3.7.0-hotfix.applied
    -rw------- 1 root    root  0 Mar 18 15:07 CSP-95247-3.3.7.0-hotfix.applied
    -rw------- 1 root    root  0 Mar 18 15:08 CSP-96928-3.3.7.0-hotfix.applied
    -rw------- 1 root    root  0 Mar 18 15:09 CSP-97727-3.3.7.0-hotfix.applied
    -rw------- 1 root    root  0 Mar 18 15:04 HW-170932-3.3.7.0-hotfix.applied
    -rw------- 1 root    root  0 Mar 18 15:05 HW-189454-3.3.7.0-hotfix.applied

 

Related Information:

To revert this patch, you can revert to the appliance(s) snapshot and the database backup taken before applying these steps.

Powered by Wolken Software