vom-Patch-8.0.0.110
Obsolete
The latest patch(es) : vom-Patch-8.0.0.500 

 Basic information
Release type: Patch
Release date: 2022-06-02
OS update support: None
Technote: None
Documentation: None
Popularity: 284 viewed    downloaded
Download size: 629.81 MB
Checksum: 2649989629

 Applies to one or more of the following products:
Operations Manager 8.0.0.0 On AIX
Operations Manager 8.0.0.0 On Linux
Operations Manager 8.0.0.0 On Solaris 11 SPARC
Operations Manager 8.0.0.0 On Solaris 11 X64
Operations Manager 8.0.0.0 On Windows x64

 Obsolete patches, incompatibilities, superseded patches, or other requirements:

This patch is obsolete. It is superseded by: Release date
vom-Patch-8.0.0.500 2023-06-27
vom-Patch-8.0.0.420 (obsolete) 2023-06-05
vom-Patch-8.0.0.400 (obsolete) 2023-03-31
vom-Patch-8.0.0.310 (obsolete) 2023-02-28
vom-Patch-8.0.0.230 (obsolete) 2022-12-08
vom-Patch-8.0.0.220 (obsolete) 2022-11-15
vom-Patch-8.0.0.210 (obsolete) 2022-09-30
vom-Patch-8.0.0.200 (obsolete) 2022-08-29
vom-Patch-8.0.0.120 (obsolete) 2022-07-01

This patch supersedes the following patches: Release date
vom-Patch-8.0.0.100 (obsolete) 2022-02-27

 Fixes the following incidents:
4067024, 4067034, 4067041, 4067046, 4067050, 4067053, 4067056, 4067058, 4067130, 4067133, 4067136, 4067147, 4076527, 4076531, 4076534, 4076791, 4076798, 4076801

 Patch ID:
None.

Readme file
                          * * * READ ME * * *
               * * * Veritas Operations Manager 8.0 * * *
                         * * * Patch 110 * * *
                         Patch Date: 2022-06-01


This document provides the following information:

   * PATCH NAME
   * OPERATING SYSTEMS SUPPORTED BY THE PATCH
   * PACKAGES AFFECTED BY THE PATCH
   * BASE PRODUCT VERSIONS FOR THE PATCH
   * SUMMARY OF INCIDENTS FIXED BY THE PATCH
   * DETAILS OF INCIDENTS FIXED BY THE PATCH
   * INSTALLATION PRE-REQUISITES
   * INSTALLING THE PATCH
   * REMOVING THE PATCH


PATCH NAME
----------
Veritas Operations Manager 8.0 Patch 110


OPERATING SYSTEMS SUPPORTED BY THE PATCH
----------------------------------------
AIX 7.1
AIX 7.2
RHEL7 x86-64
RHEL8 x86-64
SLES12 x86-64
SLES15 x86-64
Solaris 11 SPARC
Solaris 11 X86
Windows 2016 X64
Windows 2019 X64



BASE PRODUCT VERSIONS FOR THE PATCH
-----------------------------------
   * Veritas Operations Manager 8.0.0.0


SUMMARY OF INCIDENTS FIXED BY THE PATCH
---------------------------------------
Patch ID: vom-HF0800110
* 4076527 (4076526) Tomcat upgraded to 9.0.63
* 4076531 (4076530) JAVA upgrade to 8.332.08.1
* 4076534 (4076533) Spring framework upgrade to 5.3.19
* 4076791 (4076790) jackson-databind to 2.13.2.2
* 4076798 (4076797) PostgreSQL JDBC Driver upgraded to 42.3.4
* 4076801 (4076800) PostgreSQL Database Server upgraded to 10.21
Patch ID: vom-HF0800100
* 4067024 (4067023) /dev/nul file is getting created on VIOM Linux management server
* 4067034 (4067033) Product Enhancement - InfoScale licensing reconciliation tool
* 4067041 (4067040) log4j2 vulnerabilities fixes
* 4067046 (4067045) Apache Tomcat vulnerability issue CVE-2022-23181 in versions below 9.0.58.
* 4067050 (4067049) 'Per Core License Information' report displays incorrect License information.
* 4067053 (4067052) VIOM Web APIs /vom/api/gencert and /vom/api/login issues.
* 4067056 (4067055) Product Enhancement - Support for InfoScale servers hosted in AWS cloud environments
* 4067058 (4067057) Product Enhancement - Discovers FULLFSCK flag on VxFS file system and generates fault on file system corruption.
* 4067130 (4067129) 'InfoScale version' shows N/A for some of the InfoScale servers.
* 4067133 (4067132) Security fix - A reflected cross-site scripting (XSS) vulnerability allows a malicious VIOM user to inject malicious script into another users browser (CWE-79).
* 4067136 (4067135) Security fix - An absolute path transversal vulnerability allows a user to gain unauthorized access to resources on the server (CWE-36).
* 4067147 (4067146) Product Enhancement - Global VVR Monitoring Thresholds


DETAILS OF INCIDENTS FIXED BY THE PATCH
---------------------------------------
This patch fixes the following incidents:

Patch ID: vom-HF0800110

* 4076527 (Tracking ID: 4076526)

SYMPTOM:
Tomcat vulnerabilities reported.

DESCRIPTION:
Tomcat upgraded to 9.0.63

RESOLUTION:
Upgraded tomcat to latest version.

* 4076531 (Tracking ID: 4076530)

SYMPTOM:
JAVA vulnerabilities reported.

DESCRIPTION:
JAVA upgrade to 8.332.08.1

RESOLUTION:
Upgraded JAVA to latest version.

* 4076534 (Tracking ID: 4076533)

SYMPTOM:
Spring framework vulnerabilities reported.

DESCRIPTION:
Spring framework upgrade to 5.3.19

RESOLUTION:
Upgraded Spring framework to latest version.

* 4076791 (Tracking ID: 4076790)

SYMPTOM:
jackson-databind vulnerabilities reported.

DESCRIPTION:
jackson-databind to 2.13.2.2

RESOLUTION:
Upgraded jackson-databind to latest version.

* 4076798 (Tracking ID: 4076797)

SYMPTOM:
PostgreSQL JDBC Driver vulnerabilities reported.

DESCRIPTION:
Upgrade PostgreSQL JDBC Driver (pgjdbc) 42.2.19 to latest available version (42.3.4)

RESOLUTION:
Upgraded PostgreSQL JDBC Driver to latest version.

* 4076801 (Tracking ID: 4076800)

SYMPTOM:
PostgreSQL Database Server vulnerabilities reported.

DESCRIPTION:
PostgreSQL Database Server upgraded from version 10.17 to latest available version (10.21)

RESOLUTION:
Upgraded PostgreSQL Database Server to latest version.

Patch ID: vom-HF0800100

* 4067024 (Tracking ID: 4067023)

SYMPTOM:
You may see tha /dev/nul file is getting created on VIOM Linux management server post 7.4.2.500 patch upgrade.

DESCRIPTION:
After applying VIOM patch 7.4.2.500 on Linux VIOM management server, /dev/nul file can be created on the system.

RESOLUTION:
Changed /dev/nul to /dev/null.

* 4067034 (Tracking ID: 4067033)

SYMPTOM:
N/A

DESCRIPTION:
The License Reconciliation is a feature that provides an effortless solution to compare InfoScale license usage data against each entitlement and includes a facility to view the effective license position summary of an organization. Refer below technotes for more details https://www.veritas.com/support/en_US/doc/viom_technote_7.4.2.600 - VIOM version 7.4.2
https://www.veritas.com/support/en_US/doc/viom_technote_8.0.0.100 - VIOM version 8.0

RESOLUTION:
N/A

* 4067041 (Tracking ID: 4067040)

SYMPTOM:
log4j2 vulnerabilities fixes

DESCRIPTION:
This patch upgrade log4j2 version to 2.17.1 on VIOM Management Servers to fix below mentioned vulnerabilities.
CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-4104, CVE-2021-44832, CVE-2019-17571

This hotfix is mandatory for VIOM Management Servers and Managed Hosts/Agents to fix the log4j2 vulnerabilities. This hotfix upgrades log4j component to version 2.17.1 on VIOM Management Servers and removes log4j jars from Windows Managed Hosts. Removal of log4j jars from Managed Hosts/Agents does not impact any VIOM functionality.

RESOLUTION:
Upgraded log4j2 to 2.17.1

* 4067046 (Tracking ID: 4067045)

SYMPTOM:
Apache Tomcat vulnerability issue CVE-2022-23181 in versions below 9.0.58.

DESCRIPTION:
This patch upgrade Apache Tomcat to version 9.0.58 to fix vulnerability CVE-2022-23181.

RESOLUTION:
Upgraded tomcat to version 9.0.58 in VIOM patch.

* 4067050 (Tracking ID: 4067049)

SYMPTOM:
'Per Core License Information' report does not show correct 'Core to License' value.

DESCRIPTION:
VIOM GUI -> Licensing perspective -> Report -> 'Per Core License Information' displays incorrect number of 'Core to License' w.r.t. InfoScale version.

RESOLUTION:
Fixed DB schema to get correct numbers of Core to License.

* 4067053 (Tracking ID: 4067052)

SYMPTOM:
Unable to get login using the Web API service in VIOM in 8.0

DESCRIPTION:
You may not be able to run '/vom/api/gencert' VIOM web API to generate certificate. This patch fixes the certificate generating issue.
While running /vom/api/gencert using curl command, you need to provide '-G' parameter in command to generate certificate.

e.g.
curl -G -g -k -d user=user -d password=password -d domain=ManagementServer_hostname https://ManagementServer_hostname:14161/vom/api/gencert > /root/cert.txt

RESOLUTION:
Fixed the /vom/api/gencert API and also updated VIOM 8.0 user guide to use '-G' option in /vom/api/gencert curl command.

* 4067056 (Tracking ID: 4067055)

SYMPTOM:
N/A

DESCRIPTION:
Veritas InfoScale Operations Manager supports the discovery of InfoScale hosts in an AWS cloud environment only if the hosts are running on Linux or Windows.
 
VIOM discovers AWS cloud parameters/properties for InfoScale Server hosted in AWS under Server and Availability perspectives along with other host parameters/properties. For more information, refer technote https://www.veritas.com/support/en_US/doc/viom_technote_8.0.0.100.

RESOLUTION:
N/A

* 4067058 (Tracking ID: 4067057)

SYMPTOM:
N/A

DESCRIPTION:
Veritas InfoScale Operations Manager discovers FULLFSCK flag on a VxFS file system every 24 hours. If the file system is corrupted, a fault 'SF_FILESYSTEM_CORRUPTED' is raised. For more information, refer technotes below.
https://www.veritas.com/support/en_US/doc/viom_technote_7.4.2.600 - VIOM version 7.4.2
https://www.veritas.com/support/en_US/doc/viom_technote_8.0.0.100 - VIOM version 8.0

RESOLUTION:
N/A

* 4067130 (Tracking ID: 4067129)

SYMPTOM:
InfoScale deployment details or some reports under Licensing perspective show InfoScale versions as N/A.

DESCRIPTION:
While checking InfoScale version under some of the Licensing reports or 'Deployment details' tab, you may see that InfoScale versions are getting displayed as N/A. You may see this issue on the InfoScale servers where only InfoScale Availability is installed.

RESOLUTION:
Added a fix to get the InfoScale version when only InfoScale Availability is installed.

* 4067133 (Tracking ID: 4067132)

SYMPTOM:
An authenticated remote attacker (administrative/root role) can inject arbitrary web script or HTML into HTTP/GET parameter which reflect the user input without sanitization.

DESCRIPTION:
Cross-site scripting Reflected (XSS) vulnerability affects the Veritas Operations Manager application, which allows authenticated remote attackers to inject arbitrary web script or HTML into HTTP/GET parameter which reflect the user input without sanitization.
It is required to have access to the web application as a user with administrative/root role.
Severity : Medium

Refer technote for more details.
https://www.veritas.com/support/en_US/doc/viom_technote_7.4.2.600 - VIOM version 7.4.2
https://www.veritas.com/support/en_US/doc/viom_technote_8.0.0.100 - VIOM version 8.0

RESOLUTION:
Fixed the affected endpoint.

* 4067136 (Tracking ID: 4067135)

SYMPTOM:
An authenticated remote attacker (administrative/root role) can manipulate the resource name in the GET requests referring to files with absolute paths, it is possible to access arbitrary files stored on the filesystem.

DESCRIPTION:
The web server fails to sanitize the input data allowing a remote authenticated attacker to read files on the filesystem arbitrarily.
By manipulating the resource name in the GET requests referring to files with absolute paths, it is possible to access arbitrary files stored on the filesystem.
It is required to have access to the web application as a user with administrative/root role.
Severity : Low

Refer technote for more details.
https://www.veritas.com/support/en_US/doc/viom_technote_7.4.2.600 - VIOM version 7.4.2
https://www.veritas.com/support/en_US/doc/viom_technote_8.0.0.100 - VIOM version 8.0

RESOLUTION:
Fixed the affected endpoint.

* 4067147 (Tracking ID: 4067146)

SYMPTOM:
N/A

DESCRIPTION:
VIOM Server administrator now can use Global VVR monitoring threshold wizard to set replication threshold values for all VVR in their environment.

Refer technote for more details.
https://www.veritas.com/support/en_US/doc/viom_technote_8.0.0.100

RESOLUTION:
N/A



INSTALLING THE PATCH
--------------------
IMPORTANT NOTE : Please take a backup of the database using the instructions given in the Admin guide before installing this Hotfix.

This Hotfix is applicable for VIOM 8.0 Managed Hosts as well as VIOM 8.0 Management Server.

1. Download the file vom-8.0.0.110.sfa
2. Launch a browser and login to the VIOM management server.
3. Navigate to Settings ->    Deployment Icon.
4. Upload the Hotfix to the VIOM CMS using the Upload Solutions button.
The Hotfix vom-8.0.0.110 should be visible in the Hot Fixes tree node.
5. Please install this Hotfix on CS using the following instructions:
- Go to Settings ->    Deployment ->    Hot Fixes ->    Veritas Infoscale Operations Manager Managed Host.
- Click on Hot Fixes Tab. Click on Applicable Hosts Tab.
- Right click on CS Name and click on Install.


REMOVING THE PATCH
------------------
NONE


SPECIAL INSTRUCTIONS
--------------------
NONE


OTHERS
------
NONE