• Arun Nukula

vIDM Inventory Sync fails after implementing workaround to fix CVE-2020-4006 (KB 81731)


Came across an issue where we see vIDM Inventory Sync fails after applying KB 81731 which talks about fixing CVE-2020-4006


vIDM configurator page(:8443) will not be available/accessible and we are blocking it due to security vulnerability


CVE-2020-4006 has been determined to affect some releases of Workspace ONE Access, Identity Manager, and Workspace ONE Access Connector. This vulnerability and its impact on VMware products are documented in VMSA-2020-0027. Please review this advisory before continuing as there may be considerations outside the scope of this document including permanent fixes.


Affected Product versions:

  • VMware Workspace ONE Access 20.10 (Linux)

  • VMware Workspace ONE Access 20.01 (Linux)

  • VMware Identity Manager 3.3.3 (Linux)

  • VMware Identity Manager 3.3.2 (Linux)

  • VMware Identity Manager 3.3.1 (Linux)

  • VMware Identity Manager Connector 3.3.2, 3.3.1 (Linux)

  • VMware Identity Manager Connector 3.3.3, 3.3.2, 3.3.1 (Windows)

  • VMware Identity Manager Connector 19.03.0.0, 19.03.0.1


According to KB following steps were suggested to implement workaround on vIDM



Implement workaround for Linux based vIDM appliances

Use SSH to connect to appliance using “sshuser” credentials configured during installation or updated later.

Switch to root by typing su and provide “root” credentials configured during installation or updated later.

Run the following commands:
 
 cd /opt/vmware/horizon/workspace
	mkdir webapps.tmp
	mv webapps/cfg webapps.tmp
	mv conf/Catalina/localhost/cfg.xml webapps.tmp
	service horizon-workspace restart 
 
Repeat steps for all Linux based appliances affected by CVE-2020-4006.


The moment this workaround is implemented on vIDM , Inventory Sync of vIDM through vRLCM will fail


For Inventory Sync to work through vRLCM one has to revert the workaround as stated in the KB


Revert workaround for Linux based appliances
Use SSH to connect to appliance using “sshuser” credentials configured during installation or updated later.

Switch to root by typing su and provide “root” credentials configured during installation or updated later.

Run the following commands:
 
cd /opt/vmware/horizon/workspace
mv webapps.tmp/cfg webapps
mv webapps.tmp/cfg.xml conf/Catalina/localhost
rmdir webapps.tmp
service horizon-workspace restart
 
Repeat steps for all Linux based appliances affected by CVE-2020-4006

This issue is fixed in vIDM 3.3.4 which is packaged with vRLCM 8.3 and vRA 8.3


NOTE: If there are plans to upgrade vIDM you have to revert the patch using the steps mentioned above.

272 views0 comments