Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961 has been determined to impact Workspace ONE Access (VMware Identity Manager). This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA-2022-0011) , please review this document before continuing:
Impacted Product Suites vRealize Automation (vRA) 7.x, 8.x: vRA product suite can be impacted. If vIDM is used within the vRA environment, follow this knowledge base article, and apply the patch directly to the vIDM appliance(s). NOTE: Customers leveraging vRA 7.6 must follow the instructions specific to this version, as listed in the Resolution section vRealize Suite Automation Lifecycle Manager (vRSLCM) 8.x: vRSLCM product suite can be impacted. If vIDM is used within the vRSLCM environment, follow this knowledge base article, and apply the patch directly to the vIDM appliance(s). VMware Cloud Foundation (VCF) 4.x: VCF product suites can be impacted. If vIDM is used within the VCF environment, follow this knowledge base article and apply the patch directly to the vIDM appliance(s).VMware Cloud Foundation (VCF) 3.x,: VCF product suites can be impacted. If vRA is used within the VCF environment, follow this knowledge base article and apply the patch directly to the vRA IAAS nodes(s). List of affected versions Product Component Version(s) VMware Workspace ONE Access Appliance 21.08.0.1 VMware Workspace ONE Access Appliance 21.08.0.0 VMware Workspace ONE Access Appliance 20.10.0.1 VMware Workspace ONE Access Appliance 20.10.0.0 VMware Identity Manager Appliance 3.3.6 VMware Identity Manager Appliance 3.3.5 VMware Identity Manager Appliance 3.3.4 VMware Identity Manager Appliance 3.3.3 VMware Realize Automation 7.6 NOTE: CVEs can relate to multiple product components. Confirm which components you are using before patching: Workspace One AccessWorkspace One Access ConnectorIdentity ManagerIdentity Manager Connector If a component is not listed, then no remediation is needed.
This hotfixes listed below addresses the aforementioned vulnerabilities. Pre-deployment guidelines: It is recommended to upgrade instances of unsupported versions to a newer supported version before applying the patch. This procedure will not work for unsupported versions. Please refer to the VMware Lifecycle Matrix for the list of supported versions of the product.It is strongly recommended to take a snapshot or backup of the Appliance(s) and the database server before applying the hotfixThe hotfix installers noted here will revert the workaround automatically if they are executed on a node where the workaround has been previously applied. Alternatively, you can use the revert-workaround-procedures noted in KB 88098 to do so manuallyPlease note that a separate hotfix is available for vRA 7.6 and steps for deploying it are noted in KB 70911 Hotfix Download locations Product Component Version(s) Validation VMware Workspace ONE Access Appliance 21.08.0.1 Verify build number from Configurator page - 19539711 VMware Workspace ONE Access Appliance 21.08.0.0 - Updated Apr 07, 2022. Verify build number from Configurator page - 19539711 VMware Workspace ONE Access Appliance 20.10.0.1 Verify build number from Configurator page - 19540061 VMware Workspace ONE Access Appliance 20.10.0.0 Verify build number from Configurator page - 19540061 VMware Identity Manager Appliance 3.3.6 Validate flags in /usr/local/horizon/conf/flags/ - HW-154129-3.3.6.0-hotfix.applied VMware Identity Manager Appliance 3.3.5 Validate flags in /usr/local/horizon/conf/flags/ - HW-154129-3.3.5.0i-hotfix.applied VMware Identity Manager Appliance 3.3.4 Validate flags in /usr/local/horizon/conf/flags/ - HW-154129-3.3.4.0-hotfix.applied VMware Identity Manager Appliance 3.3.3 Validate flags in /usr/local/horizon/conf/flags/ - HW-154129-3.3.3.0-hotfix.applied The hotfix can be deployed independently and will not require all appliances to be offline at the same time. Therefore, the deployment of the hotfix can be accomplished in a rolling fashion without taking the entire Workspace ONE Access environment offline. NOTE: This hotfix is a cumulative patch and includes all previous hotfixes provided for a given version of Workspace ONE Access/VIDMIf you have downloaded the 21.08.0.0 hotfix before 1630 PDT, 7th April 2022, and deployed it, you may encounter problems with Database connection monitoring/status. Please download the updated hotfix for this version (HW-154129-Appliance-21.08.0.0-updated-Apr-07-2022.zip ) which addresses this problem If you have deployed the problematic hotfix and need to replace it with the latest update, please run the following command to before deploying the latest hotfix: rm -rf /usr/local/horizon/conf/flags/HW-154129-21.08.0.0-hotfix.applied Patch Deployment Procedure: 1. Login as sshuser, sudo to root level access. 2. Download and transfer HW-154129-Appliance-<Version>.zip to the virtual appliance. This zip file can be saved anywhere on the file system. VMware recommends SCP protocol to transfer the file to the appliance. Tools such as winscp can also be used to transfer the file to the appliance. 3. Unzip the file using the command below. unzip HW-154129-Appliance-<Version>.zip 4. Navigate to the files within the unzipped folder using the command below. cd HW-154129-Appliance-<Version> 5. Run the patch script using the command below ./HW-154129-applyPatch.sh NOTE: If you are running a cluster deployment, repeat the steps above on all additional nodes of the cluster. Patch Deployment Validation: Login as an Administrator to the Workspace ONE Access Console and verify the System Diagnostics page is green.For 20.xx versions, verify the build number from the Workspace ONE Access Configuration Settings page ONLY (accessed through https://{FQDN}:8443/cfg/). The build number may not be updated in other locations. Build numbers are listed aboveFor 3.3.x versons, verify the presence of the HW-154129 flag in the /usr/local/horizon/conf/flags/ location. Detailed flag names are noted above NOTE: If you upgrade the appliance to a later version, you will need to reapply the corresponding patch version on all the nodes. To revert this patch, you can revert to the appliance(s) snapshot and the database backup taken before applying these steps.
Relevant URLs VMSA-2022-0011Techzone - FAQsVMware Security BlogVMware Cloud Foundation BlogKB for Workaround instructionsKB for vRA 7.6 patch deployment Change Log April 6th, 2022 0800 PDT - KB publishedApril 6th, 2022 1200 PDT - Updated validation steps for 3.3.x versionsApril 7th, 2022 1630 PDT - Updated hotfix file available for 21.08.0.0, to address issue with DB connectivity monitoring caused by previous hotfix. Added specific guidance for deploying this updated hotfixApril 8th, 2022 1430 PDT - Added clarification for deployment validation procedureApril 11th, 2022 1300 PDT - Added clarification for VCF 3.xApril 13th, 2022 1500 PDT - Added clarification that Service Appliances are affected and not Connectors.