Search the VMware Knowledge Base (KB)
View by Article ID

VMware vRealize Operations 6.2.1, 6.3, 6.4 and 6.5 patch to address CVE-2017-5638 (2149591)

  • 0 Ratings

Purpose

On March 13, 2017 a critical severity privilege escalation was disclosed which affects VMware vRealize Operations Manager. The details of this vulnerability are documented in VMSA-2017-0004.

The vRealize Operations Manager team has investigated the issue and determined that the possibility of exploitation can be removed by installing a patch using a PAK file.

Warning:   This patch is applicable ONLY to vRealize Operations Manager versions 6.2.1, 6.3, 6.4 and 6.5. Do not apply this patch to other VMware products.

Resolution

To install the PAK file on vRealize Operations Manager, perform the following steps.

Installation Notes:

  • This patch must be applied after any other patches. If you apply another patch after this one, you'll have to reapply this patch.
  • Do not refresh the screen during the installation. While the installation is in progress, the administrator interface logs you out. 
  • PAK does not require that the cluster be stopped and restarted.
 Prerequisites: 
  • Verify that vRealize Operations Manager 6.2.1, 6.3, 6.4 or 6.5 is installed. 
  • Take a snapshot of the vRealize Operations Manager nodes before you upgrade.
 Procedure:  
  1. Download the relevant PAK file:
        6.2.1 VMware Download
        6.3 VMware Download
        6.4 VMware Download
        6.5 VMware Download
       
                                                                   
    PAK file Description
    vRealize_Operations_Manager-Security-Patch-2017.03.28.5263486.pak vRealize Operations Manager Security Patch 
              vRealize Operations security patch intended for existing versions 6.2.1, 6.3, 6.4 and 6.5 installations to address the vulnerability described in
              VMSA-2017-0004.
       
  2. On your existing vRealize Operations Manager cluster, log in to the master node administrator interface at https://<master-node-FQDN-or-IP-address>/admin 
  3. On the left pane, click Software Update.  Click Install a Software Update
  4. Follow the wizard to locate and install your downloaded PAK file. 
  5. Log back in to the master node administrator interface. The main Status and Troubleshooting page of the administrator interface appears, and the cluster goes online automatically.
        Note: The status page also displays the Bring Online button. Do NOT click the button. 
  6. If the browser page does not refresh automatically, refresh the page. The cluster status changes to Going Online. When the cluster status changes to Online, the upgrade is complete. 
  7. Verify that the Build and Version columns of each node in your vRealize Operations cluster are updated to HP Build 5263486Version <your installed version>.5263486where <your installed version> is the version of vRealize Operations currently installed.  
  8. Once you've applied the patch and the build number is incremented upward, any future upgrade you perform that has a lower build number wipes out the patch, and you'll have to reinstall it.
        To reinstall, select the  following checkbox in the upgrade wizard: Install the PAK file if it is already installed

The newly added (patched) node receives the latest STRUTS files, version 2.3.32. Note that other nodes are still running a lower version of STRUTS. Do not perform any system operations until all nodes have this PAK installed. 

To validate your installation, perform the following steps:

  1. Log in to the console of the virtual application or use SSH to log in to each node. 
  2. For virtual appliance or RHEL installations, execute the following commands on all nodes of the cluster:    
        # find / -name "*struts*"
       <output>
     # find / -name "*xwork*"
       <output>
Or, for Windows installations (applicableonly to vRealize Operations Manager 6.2.1, 6.3, and 6.4), perform the following steps:
  1. RDP to each node and open command prompt. 
  2. Execute the following commands on all nodes of the cluster.
        # dir *struts* /s /p
    <output>
    # dir *xwork* /s /p
      <output>
       

The output of all the above commands should include multiple jar files of version 2.3.32

If your output includes the jar files as noted above, the patch is verified to be properly installed and the vulnerability is closed. Please subscribe to this knowledge base article and our VMware Security Advisories for up-to-date information.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 0 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 0 Ratings
Actions
KB: