Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
CVE-2022-31700 and CVE-2022-31701 have been determined to impact Workspace ONE Access (VMware Identity Manager). These vulnerabilities and their impact on VMware products are documented in the following VMware Security Advisory (VMSA-2022-0032 ), please review this document before continuing: Impacted Product Suites vRealize Suite Automation Lifecycle Manager (vRSLCM) 8.x: vRSLCM product suite can be impacted. If vIDM is used within the vRSLCM environment, follow this knowledge base article, and apply the patch directly to the vIDM appliance(s). VMware Cloud Foundation (VCF) 4.x: VCF product suites can be impacted. If vIDM is used within the VCF environment, follow this knowledge base article and apply the patch directly to the vIDM appliance(s). List of affected versions Product Component Version(s) Applicable CVE(s) VMware Workspace ONE Access Appliance 22.09.0.0 CVE-2022-31701 VMware Workspace ONE Access Appliance 21.08.0.1 CVE-2022-31700, CVE-2022-31701 VMware Workspace ONE Access Appliance 21.08.0.0 CVE-2022-31700, CVE-2022-31701 VMware Identity Manager Appliance 3.3.6 CVE-2022-31700, CVE-2022-31701 NOTE: Customers leveraging cloud (SaaS) instances of Workspace ONE Access can find information pertaining to such tenants by logging in to the Workspace ONE Access admin console to review available notifications
Install the patch relevant to your version of WS1 Access OR upgrade to the latest available, from the table below, to address the vulnerabilities noted in this document. No workaround is available for these vulnerabilities. Before You Begin: Customers on 22.09.0.0 should upgrade to the new release 22.09.1.0 as it includes the fix. No patch is available for 22.09.0.0. Refer to the 22.09.1.0 release note for more details. It is recommended to upgrade instances of unsupported versions to a newer supported version before applying the patch. This procedure will not work for unsupported versions. Please take a look at the VMware Lifecycle Matrix for the list of supported versions of the product. It is strongly recommended to take a snapshot or backup of the Appliance(s) and the database server before applying the procedure Download the patches: Product Component Patch Download Link Upgrade Available VMware Workspace ONE Access Appliance 22.09.0.0 (Not Applicable) 22.09.1.0 VMware Workspace ONE Access Appliance 21.08.0.1 22.09.1.0 VMware Workspace ONE Access Appliance 21.08.0.0 22.09.1.0 VMware Identity Manager Appliance 3.3.6 NA NOTE: The patch can be deployed independently and will not require all appliances to be offline at the same time. Therefore, the deployment of the patch can be accomplished in a rolling fashion without taking the entire Workspace ONE Access environment offline. This patch can be applied to the appliance regardless of any previous patches applied to the appliance and will not impact the installation of this patch. If you upgrade the appliance to a later version, you will need to reapply the corresponding patch version on all the nodes If you are running a cluster deployment, repeat the deployment steps on each additional node of the cluster. To revert this patch, you can revert to the appliance(s) snapshot and the database backup taken before applying these steps. Patch Deployment Procedure: Login as sshuser, sudo to root level access. Download and transfer HW-165708-Appliance-<Version>.zip to the virtual appliance. This zip file can be saved anywhere on the file system. VMware recommends SCP protocol to transfer the file to the appliance. Tools such as winscp can also be used to transfer the file to the appliance. Unzip the file using the command below. unzip HW-165708-Appliance-<Version>.zip Navigate to the files within the unzipped folder using the command below. cd HW-165708-Appliance-<Version> Run the patch script using the command below ./HW-165708-applyPatch.sh Follow this step, only if Android Mobile SSO is configured in your environment. chmod 755 /etc/rc.d/init.d/vmware-certproxy systemctl enable vmware-certproxy systemctl start vmware-certproxy Patch Deployment Validations: Login as an Administrator to the Workspace ONE Access Console and verify the System Diagnostics page is green. If the patch is applied successfully you can find a flag file created as HW-165708-<version-number>-hotfix.applied (ex: HW-165708-21.08.0.1-hotfix.applied) in /usr/local/horizon/conf/flags directory.
To revert this patch, you can revert to the appliance(s) snapshot and the database backup taken before applying these steps. Change LogDec 14, 2022: Added step 6 to resolve certproxy permissions