Security issue at hand:
VMware vCloud Director for Service Providers update resolves a Remote Session Hijack vulnerability in the Tenant and Provider Portals. Successful exploitation of this issue may allow a malicious actor to access the Tenant or Provider Portals by impersonating a currently logged in session.
Personal note / comment (I started to add this as I get often asked to evaluate the "real criticality/risk factor" by our strategic accounts):
This is a very critical issue which could directly affect customer/tenant data security, therefore I advice to give the test and upgrade procedure highest priority. Ensure this get's validated on test infrastructure before applied to production systems.
Security Advisory: https://www.vmware.com/security/advisories/VMSA-2019-0004.html
Prerequisites for this update:
- Read the Release Notes (above)
- If you are already running vCloud Director 9.5 then no backend database service update (like from PostgreSQL 9.5 to 10) is required, if you need that please read my blog post on vCloud Director database upgrades.
- Backup, database and cell services (NO just a snapshot is NOT good enough!)
- Test your update/upgrade on your test system
- Upload the new binaries (My VMware link) to your vCloud Director cells.
- Mark the file executable.
- Install the upgrade:
- Database upgrade (only on one cell!):
- Done, please validate your vCloud Director instance according to standard test procedures.