CVE-2021-22002 has been determined to affect vRealize Automation 7.6. This vulnerability and its impact on VMware products are documented in VMSA-2021-0016. The VMSA-2021-0016 corresponds to a vulnerability about VMware Workspace ONE Access/VMware Identity Manager(vIDM). vRealize Automation 7.6 embeds vIDM within vRA 7.6.
Table: Affected Product Versions:
Product Component | Version(s) | Guest Operating System |
vRealize Automation (vIDM) | 7.6 | Linux |
The affected product versions are limited to the appliance only. The connector is not impacted.
Independent Workspace ONE Access/vIDM environments follow a different procedure to address HW-137959. Please follow this this link for details on addressing HW-137959 on independent Workspace ONE Access/vIDM environments. The below details for a workaround of HW-137959 only applies to vRA 7.6 appliances.
Note: CVE-2021-22002 will be addressed in the cumulative patch cycle for vRA 7.6. Follow this link for the last details on the vRA 7.6 cumulative patch.
The workaround addresses the vulnerability identified against the reported CVE: CVE-2021-22002.
workaround deployment steps, and how to confirm the workaround is applied.
Before You Begin:
Product | Version(s) |
vRealize Automation (vIDM) | 7.6 |
Resolution:
Install the workaround to address the vulnerability identified against the reported CVE: CVE-2021-22002.
Deployment of the workaround will take approximately 10 mins to apply for each appliance. The workaround can be deployed independently and will not require all vRA appliances to be offline at the same time. Therefore, the deployment of the workaround can be accomplished in a rolling fashion without taking the entire vRA environment offline.
Workaround Impact:
The workaround disables the ability to resolve the configuration page of vIDM. This endpoint is not used in vRA 7.6 environments and will not cause any impact to functionality.
Workaround Deployment Procedures:
Linux Virtual Appliance Procedure
Note: If you are on the wrong version of vRA you will be presented with the following error: "This hotfix is only applicable to be run on 7.x.x"
Note: If you are running multi-appliance deployment, repeat the above steps on each additional appliance within the environment.
Rollback Deployment Procedures:
If there is a failure during the workaround deployment process and there is no backup available to revert to, the following steps can be taken to rollback the workaround. These steps would need to be taken on each impacted appliance.
Linux Virtual Appliance Procedure