HW-137959: VMSA-2021-0016 for vRealize Automation 7.6 (CVE-2021-22002, CVE-2021-22003)
search cancel

HW-137959: VMSA-2021-0016 for vRealize Automation 7.6 (CVE-2021-22002, CVE-2021-22003)

book

Article ID: 318373

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

CVE-2021-22002 has been determined to affect vRealize Automation 7.6. This vulnerability and its impact on VMware products are documented in VMSA-2021-0016. The VMSA-2021-0016 corresponds to a vulnerability about VMware Workspace ONE Access/VMware Identity Manager(vIDM). vRealize Automation 7.6 embeds vIDM within vRA 7.6.  
 
Table: Affected Product Versions:
 

Product Component Version(s) Guest Operating System
vRealize Automation (vIDM) 7.6 Linux

 
The affected product versions are limited to the appliance only. The connector is not impacted.

Independent Workspace ONE Access/vIDM environments follow a different procedure to address HW-137959. Please follow this this link for details on addressing HW-137959 on independent Workspace ONE Access/vIDM environments. The below details for a workaround of HW-137959 only applies to vRA 7.6 appliances.

Note: CVE-2021-22002 will be addressed in the cumulative patch cycle for vRA 7.6. Follow this link for the last details on the vRA 7.6 cumulative patch.

Environment

VMware vRealize Automation 7.6.x

Resolution

The workaround addresses the vulnerability identified against the reported CVE: CVE-2021-22002.
workaround deployment steps, and how to confirm the workaround is applied.


Before You Begin:

  • Take the snapshot without virtual memory (recommended)
  • Download the workaround script
Product Version(s)
vRealize Automation (vIDM) 7.6

Resolution:
Install the workaround to address the vulnerability identified against the reported CVE: CVE-2021-22002. 
Deployment of the workaround will take approximately 10 mins to apply for each appliance. The workaround can be deployed independently and will not require all vRA appliances to be offline at the same time. Therefore, the deployment of the workaround can be accomplished in a rolling fashion without taking the entire vRA environment offline.

Workaround Impact:
The workaround disables the ability to resolve the configuration page of vIDM. This endpoint is not used in vRA 7.6 environments and will not cause any impact to functionality.

Workaround Deployment Procedures: 
Linux Virtual Appliance Procedure

  1. Login to the appliance with sshuser user and switch to root user
  2. Copy HW-137959-vRA.zip to the appliance. Place the file in a location easily accessible by root user.
    1. VMware recommends SCP protocol to deliver the file to the appliance. Tools such as winscp can be used to transfer the file to the appliance
  3. Unzip the file using below command.
CMD: unzip HW-137959-vRA.zip
  1. Navigate to the files within the unzipped folder
CMD: cd HW-137959-vRA
  1. Run the workaround script using below command from terminal
CMD: ./HW-137959-Workaround.sh
  1. Evaluate the warning of creating a backup before proceeding.
    1. Type ‘y’ and press <Enter> to continue
  2. Wait up to 5 minutes for the workaround to be applied
  3. To validate the workaround was applied on the appliance, attempt to launch the configuration login page. The expected behavior is this page will not be available.  
Example: https://fqdn_of_appliance:8443/cfg/login
 

Note: If you are on the wrong version of vRA you will be presented with the following error: "This hotfix is only applicable to be run on 7.x.x"

Note: If you are running multi-appliance deployment, repeat the above steps on each additional appliance within the environment.

Rollback Deployment Procedures: 
If there is a failure during the workaround deployment process and there is no backup available to revert to, the following steps can be taken to rollback the workaround. These steps would need to be taken on each impacted appliance.
Linux Virtual Appliance Procedure 

1. Replace the iptables file with the backup file created during workaround deployment.
CMD: mv /etc/bootstrap/everyboot.d/03-vidm-cluster-access-iptables.bk /etc/bootstrap/everyboot.d/03-vidm-cluster-access-iptables
 
2. Run the below script to update the iptable rules.
CMD: /etc/bootstrap/everyboot.d/03-vidm-cluster-access-iptables
 
3. Remove the Flag File.
CMD:  rm -f /usr/local/horizon/conf/flags/HW-137959-7.6.0.applied
 
4. To validate the workaround was applied on the appliance, attempt to launch the configuration login page. The expected behavior is this page will be available.  
 
Example: https://<fqdn_of_appliance>:8443/cfg/login