VMware has released on 28-March 2019 vCloud Director 9.5.0.3 which includes a highly critical security patch which should be installed as soon as possible by all service providers running vCloud Director 9.5.
Security issue at hand:
VMware vCloud Director for Service Providers update resolves a Remote Session Hijack vulnerability in the Tenant and Provider Portals. Successful exploitation of this issue may allow a malicious actor to access the Tenant or Provider Portals by impersonating a currently logged in session.
Personal note / comment (I started to add this as I get often asked to evaluate the "real criticality/risk factor" by our strategic accounts):
This is a very critical issue which could directly affect customer/tenant data security, therefore I advice to give the test and upgrade procedure highest priority. Ensure this get's validated on test infrastructure before applied to production systems.
Release Notes: https://docs.vmware.com/en/vCloud-Director/9.5/rn/vCloud-Director-9503-for-Service-Providers-Release-Notes.html
Security Advisory: https://www.vmware.com/security/advisories/VMSA-2019-0004.html
Prerequisites for this update:
- Read the Release Notes (above)
- If you are already running vCloud Director 9.5 then no backend database service update (like from PostgreSQL 9.5 to 10) is required, if you need that please read my blog post on vCloud Director database upgrades.
- Backup, database and cell services (NO just a snapshot is NOT good enough!)
- Test your update/upgrade on your test system
Update procedure:
- Upload the new binaries (My VMware link) to your vCloud Director cells.
- Mark the file executable.
chmod a+x vmware-vcloud-director-distribution-9.5.0-12985626.bin
- Install the upgrade:
[root@vcd-test-01 ~]# ./vmware-vcloud-director-distribution-9.5.0-12985626.bin
Checking free disk space...done
Checking for a supported Linux distribution...Detected CentOS7 system
done
Checking for necessary RPM prerequisites...done
Extracting VMware vCloud Director. Please wait, this could take a few minutes...
vmware-vcloud-director-23.2019.03.25-12982517.x86_64.rpm
vmware-vcloud-director-rhel-23.2019.03.25-12982517.x86_64.rpm
vmware-vcloud-director-h5ui-23.2019.03.25-12982517.x86_64.rpm
vmware-phonehome-1.0.0-9490868.noarch.rpm
done
Verifying RPM signatures...done
An older version of VMware vCloud Director has been detected and will be
upgraded to 9.5.0.
If you choose to proceed, the installer will stop the vmware-vcd service,
back up any configuration files from the previous release and migrate the
product configuration as necessary.
Would you like to upgrade now? (y/n)? y
Upgrading VMware vCloud Director...
Waiting indefinitely for all active jobs on this cell to complete, if you
would like to limit how long this process will wait you can cancel this at
any time via CTRL+C and re-run providing the --abort-tasks-after-minutes
flag indicating the maximum number of minutes to wait for jobs to complete.
Successfully entered maintenance mode.
Stopping vmware-vcd-watchdog: [ OK ]
Stopping vmware-vcd-cell: [ OK ]
Installing the VMware vCloud Director 9.5.0 RPM...
warning: vmware-vcloud-director-23.2019.03.25-12982517.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID 66fd4949: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:vmware-vcloud-director-rhel-23.20################################# [ 14%]
2:vmware-vcloud-director-23.2019.03warning: /opt/vmware/vcloud-director/etc/global.properties created as /opt/vmware/vcloud-director/etc/global.properties.rpmnew
################################# [ 29%]
3:vmware-vcloud-director-h5ui-23.20################################# [ 43%]
4:vmware-phonehome-1.0.0-9490868 ################################# [ 57%]
Cleaning up / removing...
5:vmware-vcloud-director-h5ui-23.20################################# [ 71%]
6:vmware-vcloud-director-23.2018.11################################# [ 86%]
Update completed.
7:vmware-vcloud-director-rhel-23.20################################# [100%]
done
No DSA certificates found; disabling DSA ciphers for SSL/TLS connections. See KB 2056026 for details
Upgrade installation complete.
Next steps:
You will need to upgrade the database schema before starting the
vmware-vcd service. The product upgrade tool should be run only once per
vCloud Director group. The tool may be run with the following command:
/opt/vmware/vcloud-director/bin/upgrade
- Database upgrade (only on one cell!):
[root@vcd-test-01 ~]# /opt/vmware/vcloud-director/bin/upgrade
Welcome to the vCloud Director upgrade utility
Verify that you have a valid license key to use the version of the
vCloud Director software to which you are upgrading.
This utility will apply several updates to the database. Please
ensure you have created a backup of your database prior to continuing.
Do you wish to upgrade the product now? [Y/N] y
Examining database at URL: jdbc:postgresql://10.200.117.51:5432/vcloud?socketTimeout=90
The next step in the upgrade process will change the vCloud Director database schema.
Backup your database now using the tools provided by your database vendor.
Enter [Y] after the backup is complete. y
Running 5 upgrade tasks
Executing upgrade task:
Successfully ran upgrade task
Executing upgrade task:
Successfully ran upgrade task
Executing upgrade task:
Successfully ran upgrade task
Executing upgrade task:
..../Successfully ran upgrade task
Executing upgrade task:
Successfully ran upgrade task
Database upgrade complete
Upgrade complete
Would you like to start the vCloud Director service now? If you choose not
to start it now, you can manually start it at any time using this command:
service vmware-vcd start
Start it now? [y/n] y
Starting vmware-vcd-watchdog: [ OK ]
Starting vmware-vcd-cell [ OK ]
- Done, please validate your vCloud Director instance according to standard test procedures.
