VMware has released a critical security update for its Workspace ONE Access, VMware Identity Manager (vIDM), vRealize Lifecycle Manager, vRealize Automation, and VMware Cloud Foundation products, which address various vulnerabilities.
We’ll show you how to apply the VMSA-2022-0014 patch for vIDM (VMware Identity Manager) version 3.3.6 in this post.
We’ll use KB88438 (https://kb.vmware.com/s/article/88438) to apply the fix.
Product Component | Version(s) |
VMware Workspace ONE Access Appliance | 21.08.0.1 |
VMware Workspace ONE Access Appliance | 21.08.0.0 |
VMware Workspace ONE Access Appliance | 20.10.0.1 |
VMware Workspace ONE Access Appliance | 20.10.0.0 |
VMware Identity Manager Appliance | 3.3.6 |
VMware Identity Manager Appliance | 3.3.5 |
VMware Identity Manager Appliance | 3.3.4 |
VMware Identity Manager Appliance | 3.3.3 |
Resolution:
Depending on the version of VMware Identity Manager that you are using, you will need to download a patch file. We will download a fix for VMware Identity Manager 3.3.6 in this article.
Before you begin:
1. Go to the VMware Identity Manager 3.3.6 product download page. (https://customerconnect.vmware.com/downloads/details?downloadGroup=VIDM_ONPREM_3360&productId=786&rPId=82542)
2. HW-156875-Appliance-3.3.6.zip is a compressed file that may be downloaded (approximate file 165.04 MB)
3. Before applying a patch, take a snapshot of VMware Identity Manager.
- If your VMware Identity Manager isn’t part of VMware’s vRealize Suite Lifecycle Manager (vRSLCM), you may take a snapshot using vCenter server – no downtime is required.
- If your VMware Identity Manager is part of VMware vRealize Suite Lifecycle Manager (vRSLCM), you must use VMware vRealize Suite Lifecycle Manager (vRSLCM) to take a snapshot – this will need downtime.
4. Before applying the patch, double-check the value of the file gateway.hostname attribute.
- 4.1 connect to VMware Identity Manager with ssh
- 4.2 Using the vi editor or the command “cat,” open the file /usr/local/horizon/conf/runtime-config.properties.
- 4.3 Take note of gateway.hostname’s FQFN.
Note: If you apply the patch and get a “HTTP GET call returned 444” error.
Patch deployment procedure:
This hotfix is a cumulative patch and includes all previous hotfixes provided for a given version of Workspace ONE Access/VIDM.
If you are running a cluster deployment, repeat the deployment steps on each additional node of the cluster.
1. HW-156875-Appliance-3.3.6.zip should be copied to VMware Identity Manager (In this post, we transfer file to tmp folder by using WinSCP or tools that used to transfer file)
2. Log in as root to VMware Identity Manager.
3. To reach the “tmp” folder, use the “cd” command.
4. To extract the file, use the command “unzip.”
unzip HW-156875-Appliance-3.3.6
- Navigate to the HW-156875-Appliance-3.3.6 folder.
cd HW-156875-Appliance-3.3.6
- Using the “ls -l” command, check the script file.
7. To run the patch script, use the following command.
./HW-156875-applyPatch.sh
8. Before continuing, the script will ask you to confirm that you have already taken a snapshot; press “y” to continue.
In VMware Identity Manager, the script will be run.
Patch deployment validations:
1. If the patch is installed successfully, a flag file named HW-156875-3.3.6-hotfix.applied will be produced.
2. Go to the /usr/local/horizon/conf/flags folder.
3. Check the file HW-156875-3.3.6-hotfix.applied, which is already in the folder.
4. Verify the System Diagnostics page is green by logging in as an administrator to the Workspace ONE Access Console.
If you’re running vIDM in a cluster, ensure sure all of the vIDM components are green, as well as the symbol in the upper right.
The VMware security team has published a list of critical vulnerability alerts. An authentication bypass and a privilege escalation are the weaknesses. An attacker can get administrator access to Workspace ONE Access, VMware Identity Manager, and vRealize Automation by connecting to the network. To reduce the risk to your VMware environment, we recommend applying the patch as soon as possible.
VMware TAM’s are your guide to success
VMware Technical Account Managers (TAMs) are passionate and dedicated in guiding you to your success. They can help you accelerate time to value of your VMware solutions, optimize operations and keep pace with rapid technology changes. Explore all the ways TAMs can help you by watching this video.