VMware vRealize Operations 6.2.1, 6.3, 6.4 and 6.5 patch to address CVE-2017-5638 (2149591)
On March 13, 2017 a critical severity privilege escalation was disclosed which affects VMware vRealize Operations Manager. The details of this vulnerability are documented in VMSA-2017-0004.
The vRealize Operations Manager team has investigated the issue and determined that the possibility of exploitation can be removed by installing a patch using a PAK file.
Warning: This patch is applicable ONLY to vRealize Operations Manager versions 6.2.1, 6.3, 6.4 and 6.5. Do not apply this patch to other VMware products.
To install the PAK file on vRealize Operations Manager, perform the following steps.
- This patch must be applied after any other patches. If you apply another patch after this one, you'll have to reapply this patch.
- Do not refresh the screen during the installation. While the installation is in progress, the administrator interface logs you out.
- PAK does not require that the cluster be stopped and restarted.
- Verify that vRealize Operations Manager 6.2.1, 6.3, 6.4 or 6.5 is installed.
- Take a snapshot of the vRealize Operations Manager nodes before you upgrade.
- Download the relevant PAK file:
6.2.1 VMware Download
6.3 VMware Download
6.4 VMware Download
6.5 VMware Download
PAK file Description vRealize_Operations_Manager-Security-Patch-2017.03.28.5263486.pak vRealize Operations Manager Security Patch
vRealize Operations security patch intended for existing versions 6.2.1, 6.3, 6.4 and 6.5 installations to address the vulnerability described in
- On your existing vRealize Operations Manager cluster, log in to the master node administrator interface at https://<master-node-FQDN-or-IP-address>/admin
- On the left pane, click Software Update. Click Install a Software Update.
- Follow the wizard to locate and install your downloaded PAK file.
- Log back in to the master node administrator interface. The main Status and Troubleshooting page of the administrator interface appears, and the cluster goes online automatically.
Note: The status page also displays the Bring Online button. Do NOT click the button.
- If the browser page does not refresh automatically, refresh the page. The cluster status changes to Going Online. When the cluster status changes to Online, the upgrade is complete.
- Verify that the Build and Version columns of each node in your vRealize Operations cluster are updated to HP Build 5263486, Version <your installed version>.5263486, where <your installed version> is the version of vRealize Operations currently installed.
- Once you've applied the patch and the build number is incremented upward, any future upgrade you perform that has a lower build number wipes out the patch, and you'll have to reinstall it.
To reinstall, select the following checkbox in the upgrade wizard: Install the PAK file if it is already installed
The newly added (patched) node receives the latest STRUTS files, version 2.3.32. Note that other nodes are still running a lower version of STRUTS. Do not perform any system operations until all nodes have this PAK installed.
To validate your installation, perform the following steps:
- Log in to the console of the virtual application or use SSH to log in to each node.
- For virtual appliance or RHEL installations, execute the following commands on all nodes of the cluster:
# find / -name "*struts*"
# find / -name "*xwork*"
- RDP to each node and open command prompt.
- Execute the following commands on all nodes of the cluster.
# dir *struts* /s /p
# dir *xwork* /s /p
The output of all the above commands should include multiple jar files of version 2.3.32
If your output includes the jar files as noted above, the patch is verified to be properly installed and the vulnerability is closed. Please subscribe to this knowledge base article and our VMware Security Advisories for up-to-date information.