While this post may seem redundant, I hope the screenshots may help put your mind at ease when implementing this patch especially in your production environment. In fact, as of this writing, VMware truly improved the content of KB 81754 by specifying all the steps required to apply this patch.
If you stay on top of the security news, you would be well aware of a vulnerability recently discovered by the Cybersecurity Advisory from the U.S. National Security Agency (NSA).
In a nutshell, a malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system per CVE-2020-4006.
Initially, a workaround was documented via https://kb.vmware.com/s/article/81731. But soon after, VMware support confirmed it’s best to implement a patch via https://kb.vmware.com/s/article/81754 and advised customers to roll back the workaround if implemented.
To start, download the patch relevant to the product you have in your environment. For this post, I will use VMware Identity Manager 19.03 as an example.
Once it is downloaded, go ahead and copy it to your VMware Identity Manager Connector server.
Afterward, extract the zip file and you will see the individual files below. The README.rtf file provides additional information on the steps required to install this patch successfully.
To install the patch:
- Open a command prompt as administrator and navigate to the update.bat file.
- Specify where the VMware Identity Manager Connector is installed when prompted (i.e. C:\VMware\VMwareIdentityManager\Connector).
- The VMware connector service will stop.
- Wait about 60 seconds and press a key to continue.
- The VMware connector service will start.
To validate the patch is installed successfully, we have two options. In either case, we are looking for the new build number 17267198.
Option 1: Navigate to https://localhost:8443/cfg/login from the same connector server, or https://<hostname>:8443/cfg/login from the same connector server or a different computer that has access to the connector server.
Option 2: Log onto the Administration Console of your VMware Identity Manager environment.
Here’s the build number before the patch is installed.
Here’s the build number after the patch is installed.
I hope you find this post helpful. As always, stay mobile!