Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Resolving the deserialization vulnerability for vRealize Orchestrator (CVE-2015-6934) (2141244)

Details

A deserialization vulnerability involving Apache Commons-collections and a specially constructed chain of classes exists. Successful exploitation could result in remote code execution, with the permissions of the application using the Commons-Collections library.

Solution

To resolve this issue, download the attached patch and follow the steps:

Note: The following procedure is also applicable to the embedded vRealize Orchestrator in vRealize Automation 6.2.x, vCloud Automation Center 6.1.x, and vCloud Automation Center 6.0.x.

For the Orchestrator Appliance 5.5.x and 6.0.x

  1. Download the archive and extract the content.
  2. Upload commons-collections-3.2.2.jar to your appliance.

    Use WinSCP for Windows and SCP for Linux.

  3. Log in to the appliance console and replace commons-collections-3.2.1.jar with commons-collections-3.2.2.jar.
    1. Stop the Orchestrator services:
      /etc/init.d/vco-server stop
      /etc/init.d/vco-configurator stop
    2. Replace the commons-collections jar with commons-collections-3.2.2.jar by running the following commands: 
      • For the Orchestrator server service:
        cp commons-collections-3.2.2.jar /var/lib/vco/app-server/deploy/vco/WEB-INF/lib/
        rm /var/lib/vco/app-server/deploy/vco/WEB-INF/lib/commons-collections-3.2.1.jar
        chown vco:vco /var/lib/vco/app-server/deploy/vco/WEB-INF/lib/commons-collections-3.2.2.jar
      • For the Orchestrator configuration service:
        cp commons-collections-3.2.2.jar /var/lib/vco/configuration/lib/o11n/
        rm /var/lib/vco/configuration/lib/o11n/commons-collections-3.2.1.jar
        chown vco:vco /var/lib/vco/configuration/lib/o11n/commons-collections-3.2.2.jar
    3. Start the Orchestrator services:
      /etc/init.d/vco-server start
      /etc/init.d/vco-configurator start
  4. Verify that Orchestrator is running as expected.

For the Orchestrator standalone Windows installation 5.5.x and 6.0.x

  1. Download the archive and extract the content.
  2. Replace commons-collections-3.2.1.jar with commons-collections-3.2.2.jar.
    1. Stop the Orchestrator services from the Windows command prompt:
      net stop vCOConfiguration
      net stop VMwareOrchestrator
    2. Replace commons-collections-3.2.1.jar with commons-collections-3.2.2.jar in the following locations:
      orchestrator_install_folder\app-server\deploy\vco\WEB-INF\lib\
      orchestrator_install_folder\configuration\lib\o11n\
    3. Start the Orchestrator services:
      net start vCOConfiguration
      net start VMwareOrchestrator
  3. Verify that Orchestrator is running as expected.
  4. Repeat the steps for every embedded Orchestrator server instance.

For the Orchestrator Appliance 4.2.x and 5.1.x

  1. Download the archive and extract the content.
  2. Upload commons-collections-3.2.2.jar to your appliance.

    Use WinSCP for Windows and SCP for Linux.

  3. Log in to the appliance console and replace commons-collections.jar with commons-collections-3.2.2.jar.
    1. Stop the Orchestrator services:
      /etc/init.d/vcod stop
      /etc/init.d/jettyd stop
    2. Back up the current commons-collection JAR file.
      cp /opt/vmo/app-server/server/vmo/lib/commons-collections.jar ./
    3. Replace the commons-collections jar with commons-collections-3.2.2.jar by running the following commands: 
      • For the Orchestrator server service:
        rm /opt/vmo/app-server/server/vmo/lib/commons-collections.jar
        cp commons-collections-3.2.2.jar /opt/vmo/app-server/server/vmo/lib/
        chown vco:vco /opt/vmo/app-server/server/vmo/lib/commons-collections-3.2.2.jar
      • For the Orchestrator configuration service:
        rm /opt/vmo/configuration/jetty/lib/ext/commons-collections.jar
        cp commons-collections-3.2.2.jar /opt/vmo/configuration/jetty/lib/ext/
        chown vco:vco /opt/vmo/configuration/jetty/lib/ext/commons-collections-3.2.2.jar
    4. Start the Orchestrator services:
      /etc/init.d/vcod start
      /etc/init.d/jettyd start
  4. Verify that Orchestrator is running as expected.

For the Orchestrator standalone Windows installation 4.2.x and 5.1.x

  1. Download the archive and extract the content.
  2. Replace commons-collections.jar with commons-collections-3.2.2.jar.
    1. Stop the Orchestrator services from the Windows command prompt:
      net stop vCOConfiguration
      net stop VMwareOrchestrator
    2. Back up and replace commons-collections.jar with commons-collections-3.2.2.jar in the following locations:
      orchestrator_install_folder\app-server\server\vmo\lib\commons-collections.jar
      orchestrator_install_folder
      \configuration\jetty\lib\ext\commons-collections.jar
    3. Start the Orchestrator services:
      net start vCOConfiguration
      net start VMwareOrchestrator
  3. Verify that Orchestrator is running as expected.
  4. Repeat the steps for every embedded Orchestrator server instance.

Revert the changes

You can revert the changes if you find a problem with Orchestrator, after you applied the JAR file.


For the Orchestrator Appliance 5.5.x and 6.0.x

  1. Stop the Orchestrator services:
    $ /etc/init.d/vco-server stop
    $ /etc/init.d/vco-configurator stop
  2. Add the following system property:
    -Dorg.apache.commons.collections.enableUnsafeSerialization=true to the JVM_OPTS property files located in /var/lib/vco/app-server/bin/setenv.sh and /var/lib/vco/configuration/bin/setenv.sh.
  3. Start the Orchestrator services:
    /etc/init.d/vco-server start
    /etc/init.d/vco-configurator start

For the Orchestrator standalone Windows installation 5.5.x and 6.0.x

  1. Stop the Orchestrator services from the Windows command prompt:
    net stop vCOConfiguration
    net stop VMwareOrchestrator
  2. Add wrapper.java.additional.[next number]="-Dorg.apache.commons.collections.enableUnsafeSerialization=true" to the Java Additional Parameters section, located in the following files:
    orchestrator_install_folder\app-server\bin\wrapper.conf
    orchestrator_install_folder\app-server\bin\wrapper-auto.conf
    orchestrator_install_folder\configuration\bin\wrapper.conf
    orchestrator_install_folder\configuration\bin\wrapper-auto.conf
  3. Start the Orchestrator services:
    net start vCOConfiguration
    net start VMwareOrchestrator

For the Orchestrator Appliance 4.2.x and 5.1.x

  1. Stop the Orchestrator services:
    /etc/init.d/vcod stop
    /etc/init.d/jettyd stop
  2. Add the following system property:
    wrapper.java.additional.[next number]="-Dorg.apache.commons.collections.enableUnsafeSerialization=true" to the property files located in /opt/vmo/app-server/bin/wrapper.conf and /opt/vmo/configuration/jetty/jetty-service.conf.
  3. Start the Orchestrator services:
    /etc/init.d/vcod start
    /etc/init.d/jettyd start

For the Orchestrator standalone Windows installation 4.2.x and 5.1.x

  1. Stop the Orchestrator services from the Windows command prompt:
    net stop vCOConfiguration
    net stop VMwareOrchestrator
  2. Add wrapper.java.additional.[next number]="-Dorg.apache.commons.collections.enableUnsafeSerialization=true" to the Java Additional Parameters section, located in the following files:
    orchestrator_install_folder\app-server\bin\wrapper.conf
    orchestrator_install_folder\configuration\jetty-service.conf

  3. Start the Orchestrator services:
    net start vCOConfiguration
    net start VMwareOrchestrator

Recognize if there is an attempt of using forbidden classes in commons-collections

If something tries to use forbidden classes, a warning is saved in the Orchestrator log, which is similar to the following example:

WARN {} [Filter] Throwable thrown during doFilter on request with URI: /vco/webremoting/vcofactory.service and Query: nullSerialization support for org.apache.commons.collections.functors.InvokerTransformer is disabled for security reasons. To reenable the support, you must set the org.apache.commons.collections.enableUnsafeSerialization system property to true, but you must ensure that your application does not deserialize objects from untrusted sources.

Attachments

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 0 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 0 Ratings
Actions
KB: