A couple of vulnerabilities (CVE-2021-22002, CVE-2021-22003) were reported to VMWare, which affects multiple products of VMWare. VMWare has released workaround and patches in order to address the critical vulnerabilities. Let’s learn how to fix critical vulnerabilities on VMWare (CVE-2021-22002, CVE-2021-22003)?
Table of Contents
VMWare Products Impacted:
CVE-2021-22002, CVE-2021-22003 vulnerabilities impact multiple VMWare products. Here is the list of the products.
- VMware Workspace ONE Access (Access)
- VMware Identity Manager (vIDM)
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
With an extension to the above list. These two vulnerabilities affect some releases of VMWare Workspace ONE Access too. Here you see the table.
| Product Component | Version(s) | Guest Operating System |
| VMware Workspace ONE Access | 20.10.0.1 | Linux |
| VMware Workspace ONE Access | 20.10 | Linux |
| VMware Workspace ONE Access | 20.01 | Linux |
| VMware Identity Manager | 3.3.5 | Linux |
| VMware Identity Manager | 3.3.4 | Linux |
| VMware Identity Manager | 3.3.3 | Linux |
| VMware Identity Manager | 3.3.2 | Linux |
| vRealize Automation (embedded vIDM) | 7.6 | Linux |
CVE-2021-22002:
This vulnerability lets both VMware Workspace ONE Access and Identity Manager access ‘/cfg web app’ and ‘diagnostic endpoints’ services on port 443, which is supposed to be accessible on port 8443, The services running on 8443 can be accessed on port 443, VMware considered this issue to be of ‘Important‘ severity with a maximum CVSSv3 base score of 8.6.
This flaw can help attackers with network access to port 443 accessing the /cfg web app just by tampering with the host header. The vulnerability also allows attackers to access /cfg diagnostic endpoints without authentication.
CVE-2021-22003:
This vulnerability allows both VMware Workspace ONE Access and Identity Manager to provide a login interface on port 7443, unintentionally. VMware considered this issue to be of ‘Low‘ severity with a maximum CVSSv3 base score of 3.7.
This flaw lets attackers to brute force the login endpoint and user enumeration over port 7443. However, successful brute force is difficult to achieve, in fact, it is impractical to consider when we have lockout policy configuration in place.
Prechecks before you begin:
- Take the snapshot without virtual memory.
- Note down current build number from: https://<fqdn_of_appliance>:8443/cfg/login
- Download the patch files for your product:
| Product | Version |
| VMware Workspace ONE Access | 20.10.0.1 |
| VMware Workspace ONE Access | 20.10 |
| VMware Workspace ONE Access | 20.01 |
| VMware Identity Manager | 3.3.5 |
| VMware Identity Manager | 3.3.4 |
| VMware Identity Manager | 3.3.3 |
| VMware Identity Manager | 3.3.2 |
| vRealize Automation (vIDM) | 7.6 |
How To Fix Critical Vulnerabilities On VMWare (CVE-2021-22002, CVE-2021-22003)?
VMWare has released patches to fix the vulnerabilities. VMWare also said it would include the patch in its next release of VMware Workspace ONE Access so that VMWare users may no need to apply the patches explicitly. The procedure written here will remain the same for all the products except vRealize Automation (embedded vIDM) 7.6. There is a different workaround for vRA 7.6, which we will share in the following sections.
Note: vRealize Suite Automation Lifecycle Manager (vRSLCM) 8.x: vRSLCM product suite can be impacted. If vIDM is used within the vRSLCM environment. Moreover, VMware Cloud Foundation (VCF) 4.x: VCF product suites can also be impacted. If vIDM is used within the VCF environment,
Let’s fix the critical vulnerabilities on VMWare (CVE-2021-22002, CVE-2021-22003).
Note: No need to take the entire Workspace ONE Access/vIDM environment offline as patches can be applied independently on each appliance. The patching procedure may take approximately 10 minutes on each appliance, so you can plan this patching process in a rolling fashion.
Time needed: 10 minutes.
Patch Installation Procedures for Linux Virtual Appliance:
- Login to the appliance with ssh user and switch to the root user.
$ sudo su
- Transfer the patch .zip file to the Linux virtual appliance
Hint: You can use tools like WinSCP to transfer the file to the virtual appliance.
- Unzip the file using below command
# unzip HW-137959-<appliance version>.zip
- Navigate to the files within the unzipped folder
# cd HW-137959-<appliance version>
- Run the patch script using below command from terminal
# ./HW-137959-Patch.sh
- Make sure appliance version and patch version is same.
Request to download the correct file. Or else, your terminal will say “Please download the correct version of the patch”.
- Evaluate the warning of creating a backup before proceeding
Type ‘y’ and press <Enter> to continue
- Give 5 minutes for the patch to be applied and give 5 more minutes for the appliance services to start.
- Validate the horizon-workspace service is started
Use the command to check the status of the horizon-workspace
# service horizon-workspace statusOr
You can also validate successful patching by launching the Configurator login page: https://<fqdn_of_appliance>:8443/cfg/login
Take the build number from the README.txt file and verify the build version on the configuration login page. - Check out the Rollback Procedures:
If you are encountered with a problem and you don’t have the backup to roll back. these steps would help you.
Login to the appliance and stop the horizon-workspace service.# service horizon-workspace stop
- Execute the WAR file that was in use prior to applying the patch
# deployWar /usr/local/horizon/war/svadmin-webapp-0.1.war cfg
- Replace the server.xml and cert-proxy-server-0.1.jar files with the backup file created during patch deployment
# mv /opt/vmware/horizon/workspace/conf/server.xml.bk /opt/vmware/horizon/workspace/conf/server.xml
# mv /opt/vmware/certproxy/lib/cert-proxy-server-0.1.jar.bk /opt/vmware/certproxy/lib/cert-proxy-server-0.1.jar - If, Mobile SSO(Android) is configured within the tenant. Restart the vmware-certproxy service
# service vmware-certproxy restart
Give up to 3 minutes for the vmware-certproxy service to start. Validate vmware-certproxy has started
# service vmware-certproxy status - Remove the Flag File. Please replace the <appliance-version> in the command with the version code of the appliance being rolled back
# rm -f /usr/local/horizon/conf/flags/HW-137959-<appliance-version>.applied
Example (20.10): rm -f /usr/local/horizon/conf/flags/HW-137959-20.10.applied
Example (3.3.5): rm -f /usr/local/horizon/conf/flags/HW-137959-3.3.5.0.applied - Restart the service horizon-workspace. Give up to 5 minutes for the appliance horizon-workspace service to start
# service horizon-workspace restart
- Validate the horizon-workspace service is started
Use the command to check the status of the horizon-workspace
# service horizon-workspace statusOr
You can also validate successful patching by launching the Configurator login page: https://<fqdn_of_appliance>:8443/cfg/login
The build number should be the same prior to the deployment of the patch and verify the build version on the configuration login page.
This is how you can fix critical vulnerabilities on VMWare (CVE-2021-22002, CVE-2021-22003).
Thanks for reading this tutorial. Please share this information and help to secure the digital world.
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/270018.html