kb.vmware.com
Open in
urlscan Pro
2a02:26f0:10e:2a7::2ef
Public Scan
URL:
https://kb.vmware.com/s/article/88433
Submission: On August 11 via api from US — Scanned from DE
Submission: On August 11 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Support Assistant
Support Assistant
* START OVER
* END CHAT
* PRIVACY POLICY
SUPPORT ASSISTANT
POWERED BY CONNECT AI
Loading
×Sorry to interrupt
This page has an error. You might just need to refresh it.
[NoErrorObjectAvailable] Script error.
Refresh
Products and Accounts
Knowledge
Communities
Support
Learning
Register Login
SearchLoading
My Subscriptions
See What’s New
What’s new in VMware Customer Connect Knowledgebase
Product Downloads
Product downloads are now searchable in KB search
Search Improvements
Search results have been enhanced with clickable product links to help with
filtering
Customer Connect Rebranding
KB articles referring to the former MyVMware portal have been updated to reflect
the redesigned and rebranded Customer Connect Portal
Subscription Improvements
Subscriptions page has been updated to make it easier to subscribe to KB
articles based on products, categories and language in a more streamlined UI
GOT IT
Loading
Knowledge Base
HW-156875 - WORKAROUND INSTRUCTIONS TO ADDRESS CVE-2022-22972 IN WORKSPACE ONE
ACCESS APPLIANCE (VMWARE IDENTITY MANAGER) (88433)
--------------------------------------------------------------------------------
Last Updated: 5/19/2022Categories: SecurityTotal Views: 16743 thumbs-up-line
32Language: JapaneseEnglish subscribe
PURPOSE
CVE-2022-22972 has been determined to impact Workspace ONE Access (VMware
Identity Manager). This vulnerability and its impact on VMware products is
documented in the following VMware Security Advisory - VMSA-2022-0014, please
review this document before continuing.
IMPACTED PRODUCT SUITES
vRealize Automation (vRA) 7.x, 8.x: vRA product suite can be impacted. If vIDM
is used within the vRA environment, follow this knowledge base article, and
apply the workaround directly to the vIDM appliance(s).
NOTE: Customers leveraging vRA 7.6 must follow the instructions specific to this
version, as listed in the Workaround section
vRealize Suite Automation Lifecycle Manager (vRSLCM) 8.x: vRSLCM product suite
can be impacted. If vIDM is used within the vRSLCM environment, follow this
knowledge base article, and apply the workaround directly to the vIDM
appliance(s).
VMware Cloud Foundation (VCF) 4.x: VCF product suites can be impacted. If vIDM
is used within the VCF environment, follow this knowledge base article, and
apply the workaround directly to the vIDM appliance(s).
LIST OF AFFECTED VERSIONS
Product Component
Version(s)
VMware Workspace ONE Access Appliance
21.08.0.1
VMware Workspace ONE Access Appliance
21.08.0.0
VMware Workspace ONE Access Appliance
20.10.0.1
VMware Workspace ONE Access Appliance
20.10.0.0
VMware Identity Manager Appliance
3.3.6
VMware Identity Manager Appliance
3.3.5
VMware Identity Manager Appliance
3.3.4
VMware Identity Manager Appliance
3.3.3
VMware Realize Automation
7.6
NOTE: Customers leveraging cloud (SaaS) instances of Workspace ONE Access can
find information pertaining to such tenants by logging in to the Workspace ONE
Access admin console to review available notifications
RESOLUTION
The workarounds described in this document are meant to be a temporary solution
only and will result in loss of certain functionality as noted below.
* Hotfixes documented in the advisory should be applied to remediate these
vulnerabilities, and their deployment does not impact functionality.
FUNCTIONAL IMPACT RESULTING FROM DEPLOYMENT OF WORKAROUND
* Ability to login for non-directory (local) users
* If VMware Identity Manager is managed by vRealize Suite Lifecycle Manager,
Day-2 actions like inventory sync may fail after a workaround is applied. For
this to work, revert the workaround and perform Day-2 actions.
WORKAROUND
PRE-DEPLOYMENT GUIDELINES:
* It is recommended to upgrade instances of unsupported versions to newer,
supported versions first before applying the workaround. This procedure may
not work for older unsupported versions. Please refer to the VMware Lifecycle
Matrix for a list of supported versions of the product.
* It is strongly recommended to take a snapshot of the appliance(s) and a
backup of the database before applying the workaround
PROCEDURE TO APPLY THE WORKAROUND FOR 20.10.XX AND 21.08.XX:
1. Login to the Microsoft SQL Server where the Workspace ONE Access database is
deployed. You can use SQL Server Management Studio or a similar tool.
2. Take a backup of the Workspace ONE Access database.
3. Run the below queries against the Workspace ONE Access database.
4. Run View-Active-Admin-users.sql to see all administrators (readonly
administrators also included) and run View-Active-Local-users.sql to see all
local users who will be disabled. Make sure that View-Active-Admin-users.sql
shows at least 1 provisioned (usually from a Directory) administrator.
5. Run Disable_All_Local_Users.sql to disable all local users and
administrators.
6. Run View-Active-Admin-users.sql to see which administrators now remain
active. Only provisioned (usually Directory users) userType administrators
should show here.
7. Login to Workspace ONE Access/VMware Identity Manager appliance using a
sshclient as root user. Restart the service using the command “service
horizon-workspace restart”. Repeat this process for all appliances in your
environment.
8. Until the hotfixes are applied, do not create any new local users.
PROCEDURE TO REVERT THE WORKAROUND:
USE THESE STEPS ONLY AFTER APPLYING THE HOTFIXES OR IF THERE IS A LOCK-OUT
9. Run Reenable_Disabled_Users.sql to enable the previously disabled users.
10. Run View-Active-Admin-users.sql and View-Active-Local-users.sql to confirm
that previously disabled local users and administrators have been
re-enabled.
ADDITIONAL INSTRUCTIONS:
FOR VRA 7.6 VERSION, FOLLOW THESE STEPS TO APPLY THE WORKAROUND
1. Copy the SQL scripts mentioned above to the Postgres Master Node on vRA
appliance.
2. On the Master Node, connect to the postgres Database (If the environment is a
cluster).
CMD: psql –U postgres -d vcac
3. Run sql queries from the workaround files with the command “\i”.
Example:
\i View-Active-Admin-users.sql
\i Disable_All_Local_Users.sql
FOR VIDM 3.3.X VERSION, FOLLOW THESE STEPS TO APPLY THE WORKAROUND
1. Copy the SQL scripts mentioned above to the Postgres Master Node on vIDM
appliance.
2. To fetch the password, run this command as root user
CMD: cat /usr/local/horizon/conf/db.pwd
3. On the Master Node, connect to the postgres Database, input the password from
the previous command when prompted
CMD: psql –U horizon -d saas
4. Run sql queries from the workaround files with the command “\i”.
Example:
\i View-Active-Admin-users.sql
\i Disable_All_Local_Users.sql
NOTE:
* Run the aforementioned SQL scripts against the Workspace ONE Access database
with a user with the db_owner role (applicable to instances leveraging an
external MS SQL Database)
* If you upgrade the appliance to a later version, you will not need to
re-apply the corresponding workaround
RELATED INFORMATION
ADDITIONAL RESOURCES
* VMware Security Blog
* FAQs on Techzone
* Cumulative patch update guidance for vRA 7.6
* Patch instructions to address CVE-2022-22972, CVE-2022-22973 in Workspace ONE
Access Appliance (VMware Identity Manager)
Change Log:
May 19, 2022 11:00 PDT :
1. Changed Disable_All_Local_users.sql to Disable_All_Local_Users.sql (Filename
has Capital U)
2. Clarified in the first steps for 7.x and 3.3.x, the scripts need to be run
against the Postgres master node
3. For 3.3.X added a step to fetch the password
4. For 20.10.XX and 21.08.XX added the first 3 steps to login and backup
5. Provided guidance for cloud instances of Workspace ONE Access
Detectable by VMware SkylineTM
Looking for something else?
Get immediate technical support using our AI-powered instant assistance tool
launch support assistant
Additional Resources
KB • Downloading and licensing vSphere Hypervisor (ESXi 6.x & 7.x) (2107518)
Result 1 of 1
Ask The Community
Get answers quickly from VMware experts in the community
Post Subject
CONTINUE IN COMMUNITIES
Clear
SearchLoading
RELATED PRODUCTS:
* VMware Workspace ONE Access
* VMware Identity Manager
RELATED VERSIONS:
* VMware Identity Manager 3.3.x
ACTIONS
Copy To Clipboard Copy link to clipboard copied!
Print Print
Language Language: JapaneseEnglish
ATTACHMENTS
* Disable_All_Local_Users
* Reenable_Disabled_Users
* View-Active-Local-users
* View-Active-Admin-users
* Take Our Survey
*
*
*
*
* Copyright © 2022 VMware, Inc. All rights reserved.
* Terms of Use
* Your California Privacy Rights
* Privacy
* Accessibility
* Cookie Settings
COOKIE PREFERENCE CENTER
GENERAL INFORMATION ON COOKIES
GENERAL INFORMATION ON COOKIES
When you visit our website, we use cookies to ensure that we give you the best
experience. This information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies by clicking on the
different category headings to find out more and change your settings. However,
blocking some types of cookies may impact your experience on the site and the
services we are able to offer. Further information can be found in our
Cookie Policy.
* STRICTLY NECESSARY
STRICTLY NECESSARY
Always Active
Strictly Necessary
Strictly necessary cookies are always enabled since they are essential for
our website to function. They enable core functionality such as security,
network management, and website accessibility. You can set your browser to
block or alert you about these cookies, but this may affect how the website
functions. For more information please visit www.aboutcookies.org or
www.allaboutcookies.org.
Cookie Details
* PERFORMANCE
PERFORMANCE
Performance
Performance cookies are used to analyze the user experience to improve our
website by collecting and reporting information on how you use it. They allow
us to know which pages are the most and least popular, see how visitors move
around the site, optimize our website and make it easier to navigate.
Cookie Details
PLEASE CONFIRM YOUR SETTINGS BY REFRESHING THE PAGE.
* FUNCTIONAL
FUNCTIONAL
Functional
Functional cookies help us keep track of your past browsing choices so we can
improve usability and customize your experience. These cookies enable the
website to remember your preferred settings, language preferences, location
and other customizable elements such as font or text size. If you do not
allow these cookies, then some or all of these services may not function
properly.
Cookie Details
PLEASE CONFIRM YOUR SETTINGS BY REFRESHING THE PAGE.
* ADVERTISING
ADVERTISING
Advertising
Advertising cookies are used to send you relevant advertising and promotional
information. They may be set through our site by third parties to build a
profile of your interests and show you relevant advertisements on other
sites. These cookies do not directly store personal information, but their
function is based on uniquely identifying your browser and internet device.
Cookie Details
PLEASE CONFIRM YOUR SETTINGS BY REFRESHING THE PAGE.
* SOCIAL MEDIA
SOCIAL MEDIA
Social Media
Social media cookies are intended to facilitate the sharing of content and to
improve the user experience. These cookies can sometimes track your
activities. We do not control social media cookies and they do not allow us
to gain access to your social media accounts. Please refer to the relevant
social media platform’s privacy policies for more information.
Cookie Details
PLEASE CONFIRM YOUR SETTINGS BY REFRESHING THE PAGE.
Back Button
ADVERTISING COOKIES
Filter Button
Consent Leg.Interest
Select All Vendors
Select All Vendors
Select All Hosts
Select All
* REPLACE-WITH-DYANMIC-HOST-ID
View Third Party Cookies
* Name
cookie name
Clear Filters
Information storage and access
Apply
Confirm My Choices Allow All