How To Fix Critical Vulnerabilities On VMWare (CVE-2021-22002, CVE-2021-22003)?

A couple of vulnerabilities (CVE-2021-22002, CVE-2021-22003) were reported to VMWare, which affects multiple products of VMWare. VMWare has released workaround and patches in order to address the critical vulnerabilities. Let’s learn how to fix critical vulnerabilities on VMWare (CVE-2021-22002, CVE-2021-22003)?

VMWare Products Impacted:

CVE-2021-22002, CVE-2021-22003 vulnerabilities impact multiple VMWare products. Here is the list of the products.

  • VMware Workspace ONE Access (Access)
  • VMware Identity Manager (vIDM)
  • VMware vRealize Automation (vRA)
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager

With an extension to the above list. These two vulnerabilities affect some releases of VMWare Workspace ONE Access too. Here you see the table.

Product Component Version(s) Guest Operating System
VMware Workspace ONE Access 20.10.0.1 Linux
VMware Workspace ONE Access 20.10 Linux
VMware Workspace ONE Access 20.01 Linux
VMware Identity Manager 3.3.5 Linux
VMware Identity Manager 3.3.4 Linux
VMware Identity Manager 3.3.3 Linux
VMware Identity Manager 3.3.2 Linux
vRealize Automation (embedded vIDM) 7.6 Linux

CVE-2021-22002:

This vulnerability lets both VMware Workspace ONE Access and Identity Manager access ‘/cfg web app’ and ‘diagnostic endpoints’ services on port 443, which is supposed to be accessible on port 8443, The services running on 8443 can be accessed on port 443, VMware considered this issue to be of ‘Important‘ severity with a maximum CVSSv3 base score of 8.6.

This flaw can help attackers with network access to port 443 accessing the /cfg web app just by tampering with the host header. The vulnerability also allows attackers to access /cfg diagnostic endpoints without authentication.

CVE-2021-22003:

This vulnerability allows both VMware Workspace ONE Access and Identity Manager to provide a login interface on port 7443, unintentionally. VMware considered this issue to be of ‘Low‘ severity with a maximum CVSSv3 base score of 3.7.

This flaw lets attackers to brute force the login endpoint and user enumeration over port 7443. However, successful brute force is difficult to achieve, in fact, it is impractical to consider when we have lockout policy configuration in place. 

Prechecks before you begin:

  1. Take the snapshot without virtual memory.
  2. Note down current build number from: https://<fqdn_of_appliance>:8443/cfg/login
  3. Download the patch files for your product:
Product Version
VMware Workspace ONE Access 20.10.0.1
VMware Workspace ONE Access 20.10
VMware Workspace ONE Access 20.01
VMware Identity Manager 3.3.5
VMware Identity Manager 3.3.4
VMware Identity Manager 3.3.3
VMware Identity Manager 3.3.2
vRealize Automation (vIDM) 7.6

How To Fix Critical Vulnerabilities On VMWare (CVE-2021-22002, CVE-2021-22003)?

VMWare has released patches to fix the vulnerabilities. VMWare also said it would include the patch in its next release of VMware Workspace ONE Access so that VMWare users may no need to apply the patches explicitly. The procedure written here will remain the same for all the products except vRealize Automation (embedded vIDM) 7.6. There is a different workaround for vRA 7.6, which we will share in the following sections.

Note: vRealize Suite Automation Lifecycle Manager (vRSLCM) 8.x: vRSLCM product suite can be impacted. If vIDM is used within the vRSLCM environment. Moreover, VMware Cloud Foundation (VCF) 4.x: VCF product suites can also be impacted. If vIDM is used within the VCF environment, 

Let’s fix the critical vulnerabilities on VMWare (CVE-2021-22002, CVE-2021-22003).

Note: No need to take the entire Workspace ONE Access/vIDM environment offline as patches can be applied independently on each appliance. The patching procedure may take approximately 10 minutes on each appliance, so you can plan this patching process in a rolling fashion. 

Time needed: 10 minutes.

Patch Installation Procedures for Linux Virtual Appliance:

  1. Login to the appliance with ssh user and switch to the root user.

    $ sudo su

  2. Transfer the patch .zip file to the Linux virtual appliance

    Hint: You can use tools like WinSCP to transfer the file to the virtual appliance.

  3. Unzip the file using below command

    # unzip HW-137959-<appliance version>.zip 

  4. Navigate to the files within the unzipped folder

    # cd HW-137959-<appliance version>

  5. Run the patch script using below command from terminal

    # ./HW-137959-Patch.sh

  6. Make sure appliance version and patch version is same.

    Request to download the correct file. Or else, your terminal will say “Please download the correct version of the patch”.

  7. Evaluate the warning of creating a backup before proceeding

    Type ‘y’ and press <Enter> to continue

  8. Give 5 minutes for the patch to be applied and give 5 more minutes for the appliance services to start.

  9. Validate the horizon-workspace service is started

    Use the command to check the status of the horizon-workspace
    # service horizon-workspace status

    Or

    You can also validate successful patching by launching the Configurator login page: https://<fqdn_of_appliance>:8443/cfg/login
    Take the build number from the README.txt file and verify the build version on the configuration login page.

  10. Check out the Rollback Procedures:

    If you are encountered with a problem and you don’t have the backup to roll back. these steps would help you.
    Login to the appliance and stop the horizon-workspace service.

    # service horizon-workspace stop

  11. Execute the WAR file that was in use prior to applying the patch

    # deployWar /usr/local/horizon/war/svadmin-webapp-0.1.war cfg

  12. Replace the server.xml and cert-proxy-server-0.1.jar files with the backup file created during patch deployment

    # mv /opt/vmware/horizon/workspace/conf/server.xml.bk /opt/vmware/horizon/workspace/conf/server.xml
    # mv /opt/vmware/certproxy/lib/cert-proxy-server-0.1.jar.bk /opt/vmware/certproxy/lib/cert-proxy-server-0.1.jar

  13. If, Mobile SSO(Android) is configured within the tenant.  Restart the vmware-certproxy service

    # service vmware-certproxy restart

    Give up to 3 minutes for the vmware-certproxy service to start. Validate vmware-certproxy has started
    # service vmware-certproxy status

  14. Remove the Flag File. Please replace the <appliance-version> in the command with the version code of the appliance being rolled back

    # rm -f /usr/local/horizon/conf/flags/HW-137959-<appliance-version>.applied

    Example (20.10): rm -f /usr/local/horizon/conf/flags/HW-137959-20.10.applied
    Example (3.3.5): rm -f /usr/local/horizon/conf/flags/HW-137959-3.3.5.0.applied

  15. Restart the service horizon-workspace. Give up to 5 minutes for the appliance horizon-workspace service to start

    # service horizon-workspace restart

  16. Validate the horizon-workspace service is started

    Use the command to check the status of the horizon-workspace
    # service horizon-workspace status

    Or

    You can also validate successful patching by launching the Configurator login page: https://<fqdn_of_appliance>:8443/cfg/login
    The build number should be the same prior to the deployment of the patch and verify the build version on the configuration login page.

This is how you can fix critical vulnerabilities on VMWare (CVE-2021-22002, CVE-2021-22003).

Thanks for reading this tutorial. Please share this information and help to secure the digital world.

原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/tech/aiops/270018.html

(0)
上一篇 2022年6月24日 01:06
下一篇 2022年6月24日 01:06

相关推荐

发表回复

登录后才能评论