VMware has published an advisory regarding a recently discovered vulnerability that allows remote code execution on its Cloud Director product. The flaw can be tracked with CVE-2022-22966 and it has a CVSS score of 9.1, which makes the flaw a critical one.
Patches are ready
The vulnerability affects only VMware Cloud Director with 10.3.x, 10.2.x, and 10.1.x versions. VMware has released a patch to fix this flaw, updating the versions to 10.3.3, 10.2.2.3, and 10.1.4.1 respectively. The company urges the administrators to apply the patches immediately since the attackers might gain access to sensitive data by exploiting it. In addition, it is possible to take over private clouds within an entire infrastructure by utilizing the vulnerability.
The company has also provided a workaround solution where updating the VMware Cloud Director instances is not possible. The solution does not affect any of the functionality of Cloud Director. Administrators can simply follow the steps below to secure their systems:
1- SSH to any Cell within the Server Group.
2- Download the WA_CVE-2022-22966.sh script to the /tmp directory.
3- Modify the permissions of the file to allow execution.
chown root:vcloud /tmp/WA_CVE-2022-22966.sh chmod 740 /tmp/WA_CVE-2022-22966.sh
4- Navigate to the /tmp directory of the Cell.
5- Execute the script.
6- Ensure the services on the current Cloud Director Cell have restarted before proceeding with running the script on subsequent Cells.
tail -f /opt/vmware/vcloud-director/logs/cell.log
7- To verify the patch has correctly been applied, you can check the existing config and also the runtime settings of the Cloud Director Cell. To check the Config, run the following command:
grep trustSerialData /opt/vmware/vcloud-director/bin/vmware-vcd-cell-common
8- To check the runtime settings, you can do so from any system that can connect to the Cells JMX port (8999) using either jConsole or jmxterm. To use jConsole, open the jConsole client and connect to the Cell, click on the MBeans tab in the top navigation bar and follow the navigation tree: java.lang > Runtime > Attributes > SystemProperties. Double click javax.management.openmbean.TabularDataSupport, scroll until you find com.sun.jndi.ldap.object.trustSerialData, and the key, value pair must be present and the value must be false.
Run the following command at the jmxterm command line, filling in the correct parameters
echo "get --domain java.lang -b type=Runtime SystemProperties" | java -jar <path to jmxterm-1.0.2-uber.jar> -n -l <Cell FQDN>:8999 -u <administrator> -p '<administrator password>' | /bin/grep -A2 com.sun.jndi.ldap.object.trustSerialData
Like with jConsole, you will get a key, value pair, and you should expect to see a false value. Running the script again post the 1st execution will report that the cell is “Protected”
9- SSH to the remaining Cells serially and repeat steps 3-5 until all Cells in the Server Group are patched.