Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

VMware vCenter Operations Management Suite workaround and remediation for CVE-2014-0094 and CVE-2014-0112 (2081470)

Symptoms


VMware vCenter Operations Management Suite 5.x is impacted by:

  • CVE-2014-0094
  • CVE-2014-0112.
To remediate the vulnerabilities, upgrade to vCenter Operations Management Suite 5.8.2. For more information on documented vulnerabilities, see the VMware Security Advisory VMSA-2014-0007.

Resolution

If you cannot immediately upgrade to vCenter Operations Management Suite 5.8.2, complete the workaround.

To work around this issue:

  1. Log in to the vRealize Operations (formerly known as vCenter Operations) UI VM as root using SSH.

  2. Run this command to go to the directory containing the struts.xml file under the tomcat structure:

    cd /usr/lib/vmware-vcops/tomcat/webapps/vcops-vsphere/WEB-INF/classes

  3. Run this command to edit the struts.xml file:

    vi struts.xml

  4. Add this line under the <interceptor-ref name="defaultStack"> tag:

    <param name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>


    After the addition, the <interceptors> tag must appear as:

    <interceptors>
        <interceptor name="vcRegistrationChecking" class="com.integrien.alive.ui.util.VCRegistrationCheckingInterceptor" />
        <interceptor name="permissionChecking" class="com.integrien.alive.ui.util.PermissionCheckingInterceptor" />
        <interceptor-stack name="user">
            <interceptor-ref name="vcRegistrationChecking" />
            <interceptor-ref name="permissionChecking" />
            <interceptor-ref name="defaultStack">
                <param name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
                <param name="workflow.inputResultName">validationError</param>
            </interceptor-ref>
        </interceptor-stack>
    </interceptors>



  5. Run this command to go to the directory containing the struts.xml file under the tomcat-enterprise structure:

    cd /usr/lib/vmware-vcops/tomcat-enterprise/webapps/vcops-custom/WEB-INF/classes

  6. Run this command to edit the struts.xml file:

    vi struts.xml

  7. Add this line under the <interceptor-ref name="defaultStack"> tag:

    <param name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>


    After the addition, the <interceptors> tag must appear as:

    <interceptors>
        <interceptor name="authentication" class="com.integrien.alive.ui.util.AuthenticationInterceptor" />
        <interceptor-stack name="user">
            <interceptor-ref name="authentication" />
            <interceptor-ref name="defaultStack">
                <param name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
                <param name="workflow.inputResultName">validationError</param>
            </interceptor-ref>
        </interceptor-stack>
    </interceptors>



  8. Repeat steps 1 to 7 for the vRealize Operations Analytics VM.

  9. Restart vRealize Operations using the admin page.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 0 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 0 Ratings
Actions
KB: