Workspace ONE Access

How to Mitigate Spectre & Meltdown Security Vulnerabilities in VMware Identity Manager

Spectre and Meltdown (CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754) are two recently discovered security vulnerabilities that can allow a rogue process to access other processes and memory running on the same device. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

This post covers how you can protect your VMware Identity Manager deployment against these security vulnerabilities. As with all vulnerabilities, one of the most important things you can do to secure your deployments is ensuring Identity Manager is up to date.

Meltdown Security Vulnerabilities

How can you protect your deployments?

If you are an Identity Manager customer, you either have SaaS or On-Premises deployment type. In the SaaS deployment type, your Identity Manager service is hosted by VMware and has already been updated. In the On-Premises deployment type, your service is hosted on premises by your IT team and must be updated to mitigate Spectre and Meltdown vulnerabilities. In either deployment type, your Identity Manager connector is installed on premises and needs to be updated.

The table below indicates the steps we encourage you to perform on various components that you have deployed.

Deployment Type VMware IDM Connector VMware IDM Service
Linux-based virtual appliance Windows installer Linux-based virtual appliance Windows installer
SaaS Upgrade to version 2018.1.1.0 or later No upgrade required. Protect your Windows machines as per this Microsoft article. N/A N/A
On-Premise Upgrade to version 2018.1.1.0 or later No upgrade required. Protect your Windows machines as per this Microsoft article. Upgrade to version 3.2 or later No upgrade required. Protect your Windows machines as per this Microsoft article.

Identity Manager Connector: Linux-based virtual appliance

If your VMware Identity Manager connector is deployed as a virtual appliance, ensure that you immediately upgrade to the most recent release of VMware Identity Manager Connector (version 2018.1.1.0). See here for official documentation on how to upgrade your VMware Identity Manager Connector virtual appliance.

Upgrade Path:

Current version of Connector Upgrade path to Connector version 2018.1.1.0
2017.8.1.0 – 2017.12.1.99 Direct upgrade to 2018.1.1.0
2017.7.1.1 First, upgrade to 2017.12.1.0

Then, upgrade from 2017.12.1.0 to 2018.1.1.0

2015.10.1.0 – 2017.7.1.0 First, upgrade to 2017.8.1.0

Then, upgrade from 2017.8.1.0 to 2018.1.1.0

Note: To know the current version of your connector appliance, either navigate to Connectors page of VMware Identity Manager admin console or log into your virtual appliance as the root user and run the following command

/usr/local/horizon/scripts # vamicli version –appliance

Identity Manager Connector: Windows

If your Connector is installed on a Windows Server, ensure you take necessary steps to protect your Windows machines. See the Microsoft article here.

Identity Manager Service: Linux-based virtual appliance

In an on-premise VMware Identity Manager deployment, you would also have VMware Identity Manager Service deployed as a virtual appliance in your internal network. Ensure that you upgrade your Service virtual appliance to the most recent release (version 3.2). See here for documentation on how to upgrade your VMware Identity Manager Service virtual appliance.

Upgrade Path:

Current version of VMware Identity Manager Service Upgrade path to VMware Identity Manager Service version 3.2
3.1 – 3.1.0.99 Direct upgrade to 3.2
2.9.1.0 – 3.0.0.99 First, upgrade to 3.1

Then, upgrade from 3.1 to 3.2

2.4.0.0 – 2.9.0.0 First, upgrade to 3.0

Then, upgrade from 3.0 to 3.1

Then, upgrade from 3.1 to 3.2

Note: To know the current version of your service appliance, log into your virtual appliance as the root user and run the following command

/usr/local/horizon/scripts # vamicli version –appliance

Identity Manager Service: Windows

If your VMware Identity Manager Service is installed on a Windows Server, ensure you take necessary steps to protect your Windows machines. See Microsoft article here.