Workaround Instructions For VMSA-2023-0001
search cancel

Workaround Instructions For VMSA-2023-0001

book

Article ID: 337273

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

This KB documents the workaround steps for VMSA-2023-0001.

Please note that the workarounds described in this document are meant to provide temporary mitigation for the vulnerabilities disclosed in VMSA-2023-0001.
To fully remediate the vulnerabilities VMware vRealize Log Insight must be upgraded to 8.10.2.

Download the KB90635_3.zip file from here.
Note: The file is posted on the download page for VMware vRealize Log Insight 8.10.2 but the same scripts can be executed on all versions of VMware vRealize Log Insight 8.x.  Please download the file from the above location for all supported versions.

This contains 2 files:

  • KB90635.sh
  • KB90635_validate.sh

Please ensure that the correct file, KB90635_3.zip is downloaded.

 



Environment

VMware vRealize Log Insight 8.x

Resolution

Workaround Instructions For VMSA-2023-0001

To apply the workaround for VMSA-2023-0001, perform the following steps for each vRealize Log Insight node in the cluster.

  1. Log into the Primary node as root via SSH or Console.
Note: If you do not know your root password, see How to reset the root password in VMware Aria Operations for Logs.
Note: If you are unable to connect to vRealize Log Insight, see The VMware Aria Operations for Logs root partition is full.
  1. Download the KB90635.sh file mentioned in the Purpose section to this KB and upload it into the /opt/vmware/bin/ folder of the node using an SCP utility.
  2. Run the following commands to change the permissions of the KB90635.sh file and make it executable:
chmod +x /opt/vmware/bin/KB90635.sh
chmod 755 /opt/vmware/bin/KB90635.sh

  1. Run the following command to execute the KB90635.sh script:
/opt/vmware/bin/KB90635.sh setup

Note: The script prompts the user to ensure that the node is already part of a vRealize Log Insight cluster.  This script should only be executed on a standalone host or on an node that is already added to a vRealize Log Insight cluster.
Note: Ensure there are no ERROR messages in the commands output.
  1. Proceed to the next node in the cluster and follow steps 1-4 on each node.

Do NOT delete the KB90635.sh file after remediation.  This file should remain at /opt/vmware/bin/KB90635.sh until the appliance is upgraded to version 8.10.2 or later.
 

Validation Steps For The Workaround

To validate the workaround for VMSA-2023-0001, perform the following steps for each vRealize Log Insight node in the cluster.

Important: Ensure that you have executed the steps above on ALL nodes on the cluster before proceeding with the validation.
 
  1. Log into the Primary node as root via SSH or Console.
Note: If you do not know your root password, see How to reset the root password in VMware Aria Operations for Logs.
Note: If you are unable to connect to vRealize Log Insight, see The VMware Aria Operations for Logs root partition is full.
  1. Download the KB90635_validate.sh file mentioned in the Purpose section and upload it into the /opt/vmware/bin/ folder of the node using an SCP utility.
  2. Run the following commands to change the permissions of the KB90635_validate.sh file and make it executable:
chmod +x /opt/vmware/bin/KB90635_validate.sh
chmod 755 /opt/vmware/bin/KB90635_validate.sh


  1. Run the following command to execute the KB90635_validate.sh script:
/opt/vmware/bin/KB90635_validate.sh

Note: Ensure that all nodes in the cluster are listed in the output.

Example:
  1. The script will continue to execute the required steps.  Follow the output and ensure that no errors are reported.  Upon successful completion, a message similar to the below will be displayed:

Do NOT delete the KB90635.sh file after remediation.  This file should remain at /opt/vmware/bin/KB90635.sh until the appliance is upgraded to version 8.10.2 or later.



Additional Information

To add new nodes to an existing cluster, follow the steps below.
  1. Log into the Primary node as root via SSH or Console.
  2. Run the following command on the Primary node to a execute the KB90635.sh script against the new node:
/opt/vmware/bin/KB90635.sh add new_node_ip

Note: Replace new_node_ip with the IP address of the new node to be added to the cluster.

Example/opt/vmware/bin/KB90635.sh add 192.168.0.212
  1. Join the new node to the cluster as normal and wait for successful initialization.
  2. Log into the new node as root via SSH or Console.
  3. Run the following command to execute the KB90635.sh script:
/opt/vmware/bin/KB90635.sh setup
  1. On all nodes in the cluster, run the following commands to restart the KB90635.sh script:
/opt/vmware/bin/KB90635.sh stop
/opt/vmware/bin/KB90635.sh start


Update 1/26/2023
The workaround scripts have been updated to avoid an issue that resulted in false or incorrect failures when executing the KB90635_validation script.
Please ensure that you download the latest file from the link above

Update 1/30/2023
Scripts updated to resolve issue when executing in a FIPS enabled environment


Impact/Risks:
It is recommended to take snapshots of the vRealize Log Insight nodes before applying the workaround.

Do NOT delete the KB90635.sh file after remediation.  This file should remain at /opt/vmware/bin/KB90635.sh until the appliance is upgraded to version 8.10.2 or later.