Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
CVE-2020-4006 has been determined to affect some releases of Workspace ONE Access, VMware Identity Manager, and VMware Identity Manager Connector. This vulnerability and its impact on VMware products are documented in VMSA-2020-0027. Table: Affected Product Components and Versions: ProductVersion(s)Guest Operating SystemVMware Workspace ONE Access20.10LinuxVMware Workspace ONE Access20.01LinuxVMware Identity Manager3.3.3LinuxVMware Identity Manager3.3.2LinuxVMware Identity Manager3.3.1LinuxVMware Identity Manager Connector3.3.2, 3.3.1LinuxVMware Identity Manager Connector3.3.3, 3.3.2, 3.3.1WindowsVMware Identity Manager Connector19.03WindowsVMware Identity Manager Connector19.03.0.1Windows Note: VMware Cloud Foundation 4.0 - 4.1 and the VMware Validated Design 6.0 - 6.1 deploy Workspace ONE Access 3.3.2 in the Linux appliance form-factor using vRealize Suite Lifecycle Manager and traditional OVA-based methods. These include both standalone instance and a clustered instance deployment. Workspace ONE Access 3.3.2 may also be deployed by Cloud Foundation 3.10 customers using vRealize Suite 2019. Hotfixes should be applied directly to affected deployments that have deployed following the instructions in the Resolution section below.
The Patch addresses the vulnerability identified against the reported CVE: CVE-2020-4006,Patch Deployment Steps, Change expected and How to confirm Patch has been applied.Refer the corresponding README in patch file.Note: If you followed workaround instructions from https://kb.vmware.com/s/article/81731 , follow the steps to revert them and then proceed to installing the patch. Refer https://kb.vmware.com/s/article/81731 for workaround and revert instructions.Before You Begin: Backup the configuration or system: For Linux appliances, backup these folders, before applying the patches. /opt/vmware/horizon/workspace/webapps/cfg /opt/vmware/horizon/workspace/webapps/hc (Note: this folder does not apply to 20.01 and 20.10 releases.) For Windows virtual machines, backup these folders, before applying the patches. "INSTALLLOCATION\opt\vmware\horizon\workspace\webapps\cfg" "INSTALLLOCATION\opt\vmware\horizon\workspace\webapps\hc" Alternatively, you can take a backup of the virtual appliance or the Windows virtual machine. Launch the Configurator login page on each node and record the “Build” version. Example: https://<node-fqdn>:8443/cfg/login If a clustered deployment of Workspace ONE Access (Identity Manager) is deployed by vRealize Suite Lifecycle Manager, verify the state of operations before proceeding with the patch. Please refer to Operational Verification of Workspace ONE Access documentation in the VMware Validated Design for recommended procedures. Download the patches: VMware Workspace ONE Access20.10VMware Workspace ONE Access20.01VMware Identity Manager19.03VMware Identity Manager19.03.0.1VMware Identity Manager3.3.3VMware Identity Manager3.3.2VMware Identity Manager3.3.1 Alternatively, patches for 19.03.0.1 and 19.03 can be downloaded from here. Resolution: Install the patch is to address the vulnerability identified against the reported CVE: CVE-2020-4006. Changes after Patch Deployment: The “System Security” tab on Configurator UI for all Linux appliances has been removed. For systems not managed by vRealize Suite Lifecycle Manager, the password for sshuser and root can be changed from a virtual machine console or an SSH session using the “password” command. Example: passwd <username> Important: For systems managed by vRealize Suite Lifecycle Manager, the password for sshuser and root should be updated in the vRealize Suite Lifecycle Manager user interface. Patch Deployment Procedures: Linux Virtual Appliance Procedure Transfer the .zip file to the Linux virtual appliance Service Appliances and/or Connectors. Unzip the file location. Run update.sh from shell. Example: sshuser@xreg-wsa01a [ ~ ]$ su Password: **************** root@xreg-wsa01a [ /home/sshuser ]# unzip HW-128524.zip -d /home/sshuser/HW-12852 root@sfo-wsa01 [ /home/sshuser ]# cd HW-12852/332/332-Service-Linux root@sfo-wsa01 [ /home/sshuser/HW-12852/332/332-Service-Linux ]# ls -al drwxr-xr-x 2 root root 4096 Dec 5 19:46 . drwxr-xr-x 4 root root 4096 Dec 5 14:44 .. -rw-r--r-- 1 root root 148034986 Dec 3 15:50 c2-frontend-0.1.war -rw-r--r-- 1 root root 1493 Dec 5 19:27 README.txt -rw-r--r-- 1 root root 134760396 Dec 3 15:50 svadmin-webapp-0.1.war -rwxr--r-- 1 root root 699 Dec 5 19:41 update.sh root@sfo-wsa01 [ /home/sshuser/HW-12852/332/332-Service-Linux ]# ./update.sh Starting horizon workspace service Result: The .war files are replaced on the appliance and the Identity Manager/Access service is restarted. To validate the patch is successfully applied on the node, launch the Configurator login page, and verify that the “Build” version has been updated. The expected build number is in README.txt file. Example: https://<node-fqdn>:8443/cfg/login Repeat on additional nodes, as required. If a clustered deployment of Workspace ONE Access (Identity Manager) is deployed by vRealize Suite Lifecycle Manager, verify the state of operations after completing the patch deployment Please refer to Operational Verification of Workspace ONE Access documentation in the VMware Validated Design for recommend procedures. Windows Virtual Machine Procedure for the Connectors: Transfer the .zip file to the Windows virtual machine. Unzip the file. Run update.bat form a command prompt and pass the VMwareIDMConnector installation path as a parameter. (Do not include a trailing \ at the end of the installation path) Example: PS C:\Users\Administrator> cd .\Downloads\ PS C:\Users\Administrator\Downloads> cd .\HW-128524-KB-333\333\333-Connector-Windows\ PS C:\Users\Administrator\Downloads\HW-128524-KB-332\332\332-Connector-Windows> ls Directory: C:\Users\Administrator\Downloads\HW-128524-KB-332\332\332-Connector-Windows Mode LastWriteTime Length Name ---- ------------- ------ ---- ------ 12/3/2020 7:50 AM 134760396 cfg.war ------ 12/3/2020 7:50 AM 148034986 hc.war ------ 12/3/2020 10:27 AM 3994 README.rtf ------ 12/5/2020 6:01 AM 557 update.bat PS C:\Users\Administrator\Downloads\HW-128524-KB-333\332\332-Connector-Windows> .\update.bat C:\VMware\VMwareIdentityManager\Connector Result: The .war files are replaced on the appliance and the VMwareIDMConnector service is restarted. Repeat on additional nodes. To validate the patch is successfully applied on each node, launch the Configurator login page, and verify that the “Build” version has been updated. The expected build number is in README.rtf file. Example: https://<node-fqdn>:8443/cfg/login