The workaround addresses the vulnerability identified against the reported CVE: CVE-2021-22002.
workaround deployment steps, and how to confirm the workaround is applied.Before You Begin:
- Take the snapshot without virtual memory (recommended)
- Download the workaround script
Product | Version(s) |
vRealize Automation (vIDM) | 7.6 |
Resolution:Install the workaround to address the vulnerability identified against the reported CVE: CVE-2021-22002. Deployment of the workaround will take approximately 10 mins to apply for each appliance. The workaround can be deployed independently and will not require all vRA appliances to be offline at the same time. Therefore, the deployment of the workaround can be accomplished in a rolling fashion without taking the entire vRA environment offline.Workaround Impact: The workaround disables the ability to resolve the configuration page of vIDM. This endpoint is not used in vRA 7.6 environments and will not cause any impact to functionality.Workaround Deployment Procedures: Linux Virtual Appliance Procedure
- Login to the appliance with sshuser user and switch to root user
- Copy HW-137959-vRA.zip to the appliance. Place the file in a location easily accessible by root user.
- VMware recommends SCP protocol to deliver the file to the appliance. Tools such as winscp can be used to transfer the file to the appliance
- Unzip the file using below command.
CMD: unzip HW-137959-vRA.zip
- Navigate to the files within the unzipped folder
CMD: cd HW-137959-vRA
- Run the workaround script using below command from terminal
CMD: ./HW-137959-Workaround.sh
- Evaluate the warning of creating a backup before proceeding.
- Type ‘y’ and press <Enter> to continue
- Wait up to 5 minutes for the workaround to be applied
- To validate the workaround was applied on the appliance, attempt to launch the configuration login page. The expected behavior is this page will not be available.
Example: https://<fqdn_of_appliance>:8443/cfg/login
Note: If you are on the wrong version of vRA you will be presented with the following error: "This hotfix is only applicable to be run on 7.x.x"Note: If you are running multi-appliance deployment, repeat the above steps on each additional appliance within the environment.Rollback Deployment Procedures: If there is a failure during the workaround deployment process and there is no backup available to revert to, the following steps can be taken to rollback the workaround. These steps would need to be taken on each impacted appliance.Linux Virtual Appliance Procedure
1. Replace the iptables file with the backup file created during workaround deployment.
CMD: mv /etc/bootstrap/everyboot.d/03-vidm-cluster-access-iptables.bk /etc/bootstrap/everyboot.d/03-vidm-cluster-access-iptables
2. Run the below script to update the iptable rules.
CMD: /etc/bootstrap/everyboot.d/03-vidm-cluster-access-iptables
3. Remove the Flag File.
CMD: rm -f /usr/local/horizon/conf/flags/HW-137959-7.6.0.applied
4. To validate the workaround was applied on the appliance, attempt to launch the configuration login page. The expected behavior is this page will be available.