Veritas™ Services and Operations Readiness Tools (SORT)
|
The latest patch(es) : vom-Patch-8.0.0.500
|
|---|
| Release type: | Patch |
| Release date: | 2023-06-05 |
| OS update support: | None |
| Technote: | None |
| Documentation: | None |
| Popularity: | 183 viewed downloaded |
| Download size: | 568.53 MB |
| Checksum: | 1083533341 |
|
Operations Manager 8.0.0.0 On AIX
Operations Manager 8.0.0.0 On Linux Operations Manager 8.0.0.0 On Solaris 11 SPARC Operations Manager 8.0.0.0 On Solaris 11 X64 Operations Manager 8.0.0.0 On Windows x64 |
|
|
4067024, 4067034, 4067041, 4067046, 4067050, 4067053, 4067056, 4067058, 4067130, 4067133, 4067136, 4067147, 4076527, 4076531, 4076534, 4076791, 4076798, 4076801, 4080541, 4080542, 4080546, 4080727, 4086839, 4086843, 4086847, 4086852, 4086855, 4086861, 4086867, 4086873, 4086990, 4089978, 4089985, 4090027, 4095566, 4095902, 4098841, 4100726, 4100839, 4100844, 4108966, 4109349, 4109360, 4112476, 4112526, 4112529, 4112532, 4112563, 4115485, 4115498, 4119263, 4119390, 4119394
|
|
None.
|
* * * READ ME * * *
* * * Veritas Operations Manager 8.0 * * *
* * * Patch 420 * * *
Patch Date: 2023-06-02
This document provides the following information:
* PATCH NAME
* OPERATING SYSTEMS SUPPORTED BY THE PATCH
* PACKAGES AFFECTED BY THE PATCH
* BASE PRODUCT VERSIONS FOR THE PATCH
* SUMMARY OF INCIDENTS FIXED BY THE PATCH
* DETAILS OF INCIDENTS FIXED BY THE PATCH
* INSTALLATION PRE-REQUISITES
* INSTALLING THE PATCH
* REMOVING THE PATCH
PATCH NAME
----------
Veritas Operations Manager 8.0 Patch 420
OPERATING SYSTEMS SUPPORTED BY THE PATCH
----------------------------------------
AIX 7.1
AIX 7.2
RHEL7 x86-64
RHEL8 x86-64
SLES12 x86-64
SLES15 x86-64
Solaris 11 SPARC
Solaris 11 X64
Windows 2016 X64
Windows 2019 X64
BASE PRODUCT VERSIONS FOR THE PATCH
-----------------------------------
* Veritas Operations Manager 8.0.0.0
SUMMARY OF INCIDENTS FIXED BY THE PATCH
---------------------------------------
Patch ID: vom-HF0800420
* 4119263 (4119258) Security Vulnerabilities fixes in VIOM security patch 8.0.0.420.
* 4119390 (4119389) Enclosures connectivity tab show Unknown state in server perspective.
* 4119394 (4119393) Disk Group utilization chart shows negative value for spare size for some DG.
Patch ID: vom-HF0800410
* 4115485 (4115477) Security vulnerability fixes in Veritas InfoScale Operations Manager.
* 4115498 (4115494) Security Vulnerabilities fixes in VIOM security patch 8.0.0.410
Patch ID: vom-HF0800400
* 4112476 (4112473) Security Vulnerabilities fixes in VIOM patch 8.0.0.400.
* 4112526 (4112525) Unable to add guest/admin permission to user group for server perspective.
* 4112529 (4112528) Adding HSTS header for xprtld service running on port 5634
* 4112532 (4112531) Windows MH is reported as down after Teams NIC device changes its MAC address on reboot.
* 4112563 (4112562) Product Enhancement - "#Cores(vCPUs)" count calculations changes for Linux Virtual Machines (deployed in premises or in Cloud) when Hyper threading is enabled.
Patch ID: vom-HF0800310
* 4108966 (4108965) Security Vulnerabilities fixes in VIOM security patch 8.0.0.310.
* 4109349 (4109347) Patch upgrade on VIOM Management Server fails.
* 4109360 (4109359) After patch upgrade on VIOM Management Server 8.0, ldap login may fail.
Patch ID: vom-HF0800300
* 4100726 (4100725) Security Vulnerabilities fixes in VIOM security patch 8.0.0.300.
* 4100839 (4100838) Post VIOM CMS upgrade '/opt/VRTSsfmcs/config/vcs/sfmha start' cli fails on CMS-CFSHA.
* 4100844 (4100841) Product Enhancement - Core Plus License report for 'InfoScale for Kubernetes'.
Patch ID: vom-HF0800230
* 4098841 (4098835) Security Vulnerabilities fixes in VIOM security patch 8.0.0.230.
Patch ID: vom-HF0800220
* 4095566 (4095565) Security Vulnerabilities fixes in VIOM security patch 8.0.0.220.
* 4095902 (4095901) Post upgrade to 8.0.0.210, user fails to login in VIOM GUI.
Patch ID: vom-HF0800210
* 4089978 (4089977) Security Vulnerabilities fixes in VIOM security patch 8.0.0.210.
* 4089985 (4089983) Suspected HSTS Vulnerability in VIOM on 14161 and 5634 port.
* 4090027 (4090007) Removal of example applications, documentation, and other directories of Apache Tomcat.
Patch ID: vom-HF0800200
* 4086839 (4086838) at_migrate.pl script does not work with VIOM versions higher than 7.x
* 4086843 (4086841) Product Enhancement - US Federal Executive Order - Logging changes (EL1 Logging and auditing requirements)
* 4086847 (4086846) Product Enhancement - Detection of VIOM certificates expiry time and renew
* 4086852 (4086851) Security Vulnerabilities fixes in VIOM
* 4086855 (4086853) VIOM logs were growing beyond defined limit on Windows.
* 4086861 (4086860) Faults are not listing under faults tab in VIOM GUI.
* 4086867 (4086866) Mitigation for CVE-2020-9484 vulnerability.
* 4086873 (4086872) Enable 'Flexible Storage Sharing' check box is disabled in Create Disk Group operation on cluster in VIOM GUI.
* 4086990 (4086989) Product Enhancement - Faults to detect VVR Rlink detached and SRL disabled
Patch ID: vom-HF0800120
* 4080541 (4080538) Spring framework upgrade to 5.3.21
* 4080542 (4080540) Tomcat upgraded to 9.0.64
* 4080546 (4080545) Upgraded google-gson jar to latest available version : 2.9.0
* 4080727 (4080726) Product Enhancement - Support for Forward Secrecy Ciphers for xprtld service
Patch ID: vom-HF0800110
* 4076527 (4076526) Tomcat upgraded to 9.0.63
* 4076531 (4076530) JAVA upgrade to 8.332.08.1
* 4076534 (4076533) Spring framework upgrade to 5.3.19
* 4076791 (4076790) jackson-databind to 2.13.2.2
* 4076798 (4076797) PostgreSQL JDBC Driver upgraded to 42.3.4
* 4076801 (4076800) PostgreSQL Database Server upgraded to 10.21
Patch ID: vom-HF0800100
* 4067024 (4067023) /dev/nul file is getting created on VIOM Linux management server
* 4067034 (4067033) Product Enhancement - InfoScale licensing reconciliation tool
* 4067041 (4067040) log4j2 vulnerabilities fixes
* 4067046 (4067045) Apache Tomcat vulnerability issue CVE-2022-23181 in versions below 9.0.58.
* 4067050 (4067049) 'Per Core License Information' report displays incorrect License information.
* 4067053 (4067052) VIOM Web APIs /vom/api/gencert and /vom/api/login issues.
* 4067056 (4067055) Product Enhancement - Support for InfoScale servers hosted in AWS cloud environments
* 4067058 (4067057) Product Enhancement - Discovers FULLFSCK flag on VxFS file system and generates fault on file system corruption.
* 4067130 (4067129) 'InfoScale version' shows N/A for some of the InfoScale servers.
* 4067133 (4067132) Security fix - A reflected cross-site scripting (XSS) vulnerability allows a malicious VIOM user to inject malicious script into another users browser (CWE-79).
* 4067136 (4067135) Security fix - An absolute path transversal vulnerability allows a user to gain unauthorized access to resources on the server (CWE-36).
* 4067147 (4067146) Product Enhancement - Global VVR Monitoring Thresholds
DETAILS OF INCIDENTS FIXED BY THE PATCH
---------------------------------------
This patch fixes the following incidents:
Patch ID: vom-HF0800420
* 4119263 (Tracking ID: 4119258)
SYMPTOM:
Third party component vulnerability reported.
DESCRIPTION:
Following third party component has been upgraded:
--------------------------------------------------------------------------------------------------------------------------------------------------
Component Name Upgraded Version(8.0.0.420) CVE FIXED COMMENTS
--------------------------------------------------------------------------------------------------------------------------------------------------
openssl 102zg APPLICALE for Linux, AIX and Solaris platforms.
JSON-java 20230227 APPLICABLE FOR VIOM
MANAGEMENT SERVER ONLY.
Spring 5.8.3 APPLICABLE FOR VIOM
Security MANAGEMENT SERVER ONLY.
--------------------------------------------------------------------------------------------------------------------------------------------------
RESOLUTION:
Fixed the affected endpoint.
* 4119390 (Tracking ID: 4119389)
SYMPTOM:
Connectivity shows Unknown in enclosure tab under server perspective.
DESCRIPTION:
Connectivity shows Unknown in enclosure tab under server perspective due to join with empty tables in a query.
RESOLUTION:
Fixed the enclosure view query.
* 4119394 (Tracking ID: 4119393)
SYMPTOM:
Disk Group utilization chart shows negative value for spare size for some DG.
DESCRIPTION:
Spare size is being calculated based on LUN_SIZE which is not always showing updated value after increasing LUN size.
RESOLUTION:
Picking LUN_SIZE from correctly updated table to calculate spare size.
Patch ID: vom-HF0800410
* 4115485 (Tracking ID: 4115477)
SYMPTOM:
Some High, Medium and Low vulnerabilities has been discovered in Veritas InfoScale Operations Manager.
DESCRIPTION:
The following 8 vulnerabilities (High - 3, Medium - 4, Low - 1) are fixed in VIOM 8.0.0.410 Security Patch.
Customers are requested to upgrade their Management Servers to minimum 8.0U4SP1 (8.0.0.410) level to get these vulnerability fixes. On InfoScale ver 7.2 and higher servers, they can upgrade VIOM Clients to 8.0.0.410. On InfoScale ver 7.1 and lower servers, VIOM Clients can be upgraded to 7.4.2.800.
Details of fixed vulnerabilities are available in technote https://www.veritas.com/support/en_US/doc/viom_technote_8.0.0.410
NOTE: Please perform all clients upgrade using VIOM GUI only.
1) Arbitrary Code Execution (Sev - High) [Applicable to Management Server and Clients]
The VIOM web application does not validate the user supplied data and appends it to OScommands and internal binaries used by the application. An attacker with
root/administrator level privileges can use this vulnerability to read sensitive data stored on the servers, modify data or server configuration and delete data
or application configuration.
2) SQL Injection (Sev - High) [Applicable to Management Server]
The InfoScale VIOM web application is vulnerable to SQL Injection in some of the areas of the application. This allows attackers to submit arbitrary SQL
commands on the back-end database to create, read, update, delete any sensitive data stored in the database.
3) Command Execution via Insecure File Upload (Sev - High) [Applicable to Management Server and Clients]
The InfoScale VIOM-Xprtld web application allows an authenticated attacker to upload all types of files to the server. An attacker can execute the malicious file and gain complete control of back-end server.
4) Cross-Site Request Forgery (CSRF) (Sev - Medium) [Applicable to Management Server]
The InfoScale VIOM web application is vulnerable to Cross-Site Request Forgery attacks.
An attacker can coerce authenticated users into performing actions without their consent or knowledge of them performing that action.
5) Cross-Site Scripting (XSS) (Sev - Medium) [Applicable to Management Server]
The InfoScale VIOM web application is vulnerable to Cross-Site Scripting (XSS). An attacker
can run malicious scripts in the context of the website in order to steal content stored in
DOM and impersonate the user, coerce the user into carrying out unintended actions on
the web application, or modify the content displayed to the user.
6) CSV Excel Macro Injection (Sev - Medium) [Applicable to Management Server]
The InfoScale VIOM web application has a functionality that allows for users to export data
in CSV format. This data is not sanitized and allows injection attacks against end-users who
open the CSV files. By crafting special payloads, an attacker can run command-line
programs via Microsoft Excel on a victim's machine in order to compromise their system.
7) Arbitrary URL Redirection (Sev - Low) [Applicable to Management Server]
The InfoScale VIOM web application redirects clients based on the navigation history without validation. While applications often need to redirect users between areas, this functionality can be used maliciously when implemented without adequate security controls. By crafting a special webpage for victims, an attacker can trick a user into visiting a page that redirects them away from the safety of the application to the attacker's domain.
8) Missing Authentication - Direct Request (Sev - Medium) [Applicable to Management Server]
The InfoScale VIOM web applications do not have sufficient authentication checks in place for accessing sensitive files and resources. This can allow an attacker to directly access the
application resources without proper authentication and gain access to sensitive data
RESOLUTION:
Fixed the found issues in product.
* 4115498 (Tracking ID: 4115494)
SYMPTOM:
Third party component vulnerability reported.
DESCRIPTION:
Following third party component has been upgraded:
--------------------------------------------------------------------------------------------------------------------------------------------------
Component Name Upgraded Version(8.0.0.410) COMMENTS
--------------------------------------------------------------------------------------------------------------------------------------------------
Apache Commons 1.5 APPLICABLE FOR VIOM
Fileupload MANAGEMENT SERVER ONLY.
Spring Framework 5.3.26 APPLICABLE FOR VIOM
MANAGEMENT SERVER ONLY.
--------------------------------------------------------------------------------------------------------------------------------------------------
RESOLUTION:
Fixed the affected endpoint.
Patch ID: vom-HF0800400
* 4112476 (Tracking ID: 4112473)
SYMPTOM:
Third party component vulnerability reported.
DESCRIPTION:
Following third party component has been upgraded :
---------------------------------------------------------------------------------------------------------
Component Name Previous Version(8.0.0.310) Upgraded Version(8.0.0.400) CVE's Fixed
---------------------------------------------------------------------------------------------------------
Java 11.0.17.8.1 11.0.18.10.1 0
Net
Apache Tomcat 9.0.70 9.0.73 BDSA-2023-0623
----------------------------------------------------------------------------------------------------------
RESOLUTION:
Fixed the affected endpoint.
* 4112526 (Tracking ID: 4112525)
SYMPTOM:
Unable to add guest/admin permission to user group for server perspective.
DESCRIPTION:
Batch update in DB fails to add guest/admin permission to user group for server perspective due to newly added query.
RESOLUTION:
Fixed the DB query.
* 4112529 (Tracking ID: 4112528)
SYMPTOM:
Missing HSTS header for xprtld service running on port 5634
DESCRIPTION:
Security vulnerability scanners may report missing HSTS header for xprtld service running on port 5634.
RESOLUTION:
Added HSTS header.
* 4112532 (Tracking ID: 4112531)
SYMPTOM:
MAC address of Windows MH changes randomly on each reboot and host disconnects from VIOM CMS.
DESCRIPTION:
MAC address of Windows MH changes randomly on each reboot and host disconnects from VIOM CMS due to hostguid mismatch.
RESOLUTION:
Changed the flag to GAA_FLAG_INCLUDE_ALL_INTERFACES in GetAdaptersAddresses(). This will return addresses for all NDIS interfaces which is being used while creating hostguids for Windows MH.
* 4112563 (Tracking ID: 4112562)
SYMPTOM:
N/A
DESCRIPTION:
VIOM will be counting "#Cores(vCPUs)" of Linux Virtual Machines (deployed in premises or in Cloud) without consideration whether Hyper Threading is enabled or not.
RESOLUTION:
N/A
Patch ID: vom-HF0800310
* 4108966 (Tracking ID: 4108965)
SYMPTOM:
Third party component vulnerability reported.
DESCRIPTION:
Following third party component has been upgraded :
---------------------------------------------------------------------------------------------------------------
Component Name Previous Version(8.0.0.220) Upgraded Version(8.0.0.310) CVE FIXED
---------------------------------------------------------------------------------------------------------------
Apache Commons 3.8.0 3.9.0 BDSA-2022-3466
Net
jackson-databind 2.13.3 2.14.1 CVE-2022-42003 (BDSA-2022-2765),
CVE-2022-42004 (BDSA-2022-2768)
PostgreSQL JDBC 42.5.0 42.5.1 CVE-2022-41946 (BDSA-2022-3347)
Driver (pgjdbc)
Spring Framework 5.3.21 5.3.25 CVE-2016-1000027
Spring Security 5.7.1 5.8.1 CVE-2022-31690 (BDSA-2022-3109),
CVE-2022-31692 (BDSA-2022-3106)
----------------------------------------------------------------------------------------------------------------
RESOLUTION:
Fixed the affected endpoint.
* 4109349 (Tracking ID: 4109347)
SYMPTOM:
Patch upgrade fails on VIOM Management Server with error message below in hf.log
[debug] 27489 update_mh: CMS post upgrade failed : 256. Processing upgrade_cms ................................
FAILED rc=1
Rolling back jobs::upgrade_cms................................OK
Return Code : 1
pg_ctl: could not start server
DESCRIPTION:
You may observe VIOM patch upgrade fail during CMS post upgrade process. During patch upgrade, a pg_ctl error occurs.
RESOLUTION:
The issue was due to wrong postgresql.conf was being restored. Fixed the issue by restoring correct postgresql.conf.
* 4109360 (Tracking ID: 4109359)
SYMPTOM:
After patch upgrade on VIOM Management Server 8.0, ldap login may fail with authentication broker is not accessible error.
DESCRIPTION:
Ldap user fails to login in VIOM GUI because of Ciphers changes in VIOM Broker service.
RESOLUTION:
Changed the Ciphers list to same as previous one.
Patch ID: vom-HF0800300
* 4100726 (Tracking ID: 4100725)
SYMPTOM:
Third party component vulnerability reported.
DESCRIPTION:
Following third party component has been upgraded :
--------------------------------------------------------------------------------------------------------------------------------------------------
Component Name Previous Version(8.0.0.220) Upgraded Version(8.0.0.230) CVE FIXED COMMENTS
--------------------------------------------------------------------------------------------------------------------------------------------------
Java 11.0.16.8.1 11.0.17.8.1 APPLICABLE FOR VIOM
MANAGEMENT SERVER ONLY.
PostgreSQL 14.1 14.5 APPLICABLE FOR VIOM
Database Server MANAGEMENT SERVER ONLY.
PostgreSQL JDBC 42.3.4 42.5.0 APPLICABLE FOR VIOM
Driver (pgjdbc) MANAGEMENT SERVER ONLY.
Apache Xerces2 J 2.12.1 2.12.2 APPLICABLE FOR VIOM
MANAGEMENT SERVER ONLY.
Apache Batik 1.14 1.16 APPLICABLE FOR VIOM
MANAGEMENT SERVER ONLY.
gSoap for 2.8.5.0 2.8.123 APPLICABLE FOR VIOM
Linux MANAGEMENT SERVER ONLY.
Apache Tomcat 9.0.64 9.0.70 APPLICABLE FOR VIOM
MANAGEMENT SERVER ONLY.
--------------------------------------------------------------------------------------------------------------------------------------------------
RESOLUTION:
Fixed the affected endpoint.
* 4100839 (Tracking ID: 4100838)
SYMPTOM:
After VIOM CMS-CFSHA upgrade, '/opt/VRTSsfmcs/config/vcs/sfmha start' cli throws error below
VCS WARNING V-16-1-10554 No resource exists with type of Mount
DESCRIPTION:
Post VIOM CMS-CFSHA successful upgrade, installer asked to run '/opt/VRTSsfmcs/config/vcs/sfmha start' cli. This cli unfreeze the Service Groups.
You may see the error 'No resource exists of type Mount.'
RESOLUTION:
For CFSHA, resource type is CFSMount. Added support for CFSMount.
* 4100844 (Tracking ID: 4100841)
SYMPTOM:
N/A
DESCRIPTION:
Details on generating Core Plus License report is available in technote https://www.veritas.com/support/en_US/doc/viom_technote_8.0.0.300
RESOLUTION:
N/A
Patch ID: vom-HF0800230
* 4098841 (Tracking ID: 4098835)
SYMPTOM:
Third party component vulnerability reported.
DESCRIPTION:
Following third party component has been upgraded :
--------------------------------------------------------------------------------------------------------------------------------------------------
Component Name Previous Version(8.0.0.220) Upgraded Version(8.0.0.230) CVE FIXED COMMENTS
--------------------------------------------------------------------------------------------------------------------------------------------------
Java 11.0.16.8.1 11.0.17.8.1 APPLICABLE FOR VIOM
MANAGEMENT SERVER ONLY.
Tomcat 9.0.65 9.0.69 CVE-2022-42252 (BDSA-2022-3105) APPLICABLE FOR VIOM
MANAGEMENT SERVER ONLY.
Batik 1.14 1.16 APPLICABLE FOR VIOM
MANAGEMENT SERVER ONLY.
--------------------------------------------------------------------------------------------------------------------------------------------------
RESOLUTION:
Fixed the affected endpoint.
Patch ID: vom-HF0800220
* 4095566 (Tracking ID: 4095565)
SYMPTOM:
Third party component (gSOAP) vulnerability reported.
DESCRIPTION:
Following third party component has been upgraded for linux :
--------------------------------------------------------------------------------------------------------------------------------------------------
Component Name Previous Version(8.0.0.210) Upgraded Version(8.0.0.220) CVE FIXED COMMENTS
--------------------------------------------------------------------------------------------------------------------------------------------------
gSOAP 2.8.5 2.8.123 BDSA-2021-0343, BDSA-2021-0337, COMPONENT UPGRADED FOR LINUX.
BDSA-2021-0341, BDSA-2021-0338,
BDSA-2021-0799, BDSA-2020-4167,
CVE-2019-7659 (BDSA-2019-0627),
CVE-2017-9765.
--------------------------------------------------------------------------------------------------------------------------------------------------
RESOLUTION:
Fixed the affected endpoint.
* 4095902 (Tracking ID: 4095901)
SYMPTOM:
Post VIOM 8.0.0.210 patch upgrade, you may not be able to login in VIOM GUI.
DESCRIPTION:
Post patch upgrade, you may see that in esmweb.cfg file JAVA_OPTS line is merged with some other line.
RESOLUTION:
Fixed the modification of esmweb.cfg file.
Patch ID: vom-HF0800210
* 4089978 (Tracking ID: 4089977)
SYMPTOM:
Third party components vulnerability reported.
DESCRIPTION:
Following third party components have been upgraded and removed.
---------------------------------------------------------------------------------------------------------------------------------------
Components Previous Version(8.0.0.200) Upgraded Version(8.0.0.210) CVE FIXED COMMENTS
---------------------------------------------------------------------------------------------------------------------------------------
Apache tomcat 9.0.64 9.0.65 CVE-2022-34305 (BDSA-2022-1742), COMPONENT UPGRADED
CVE-2017-7789,
CVE-2021-0296 , CVE-2015-5505
---------------------------------------------------------------------------------------------------------------------------------------
PostgreSQL 14.1 14.5 CVE-2022-1552(BDSA-2022-1296), COMPONENT UPGRADED
Database Server CVE-2022-2625 (BDSA-2022-2210)
---------------------------------------------------------------------------------------------------------------------------------------
Apache Xerces2 J 2.12.1 2.12.2 CVE-2022-23437 (BDSA-2022-0232) COMPONENT UPGRADED
---------------------------------------------------------------------------------------------------------------------------------------
PostgreSQL JDBC 42.3.4 42.5.0 CVE-2022-31197 COMPONENT UPGRADED
Driver (pgjdbc)
---------------------------------------------------------------------------------------------------------------------------------------
Apache xalan 2.7.2 N/A CVE-2022-34169 (BDSA-2022-1993) COMPONENT REMOVED
---------------------------------------------------------------------------------------------------------------------------------------
Spring Framework 4.3.30.RELEASE N/A BDSA-2022-0847, CvE-2022-22971, COMPONENT REMOVED
CvE-2022-22950 (BDSA-2022-0820),
BDSA-2021-3236,
CvE-2022-22965 (BDSA-2022-0858),
BDSA-2022-0011,
CvE-2022-22970,
CvE-2022-22968 ,
(BDSA-2022-1040)
---------------------------------------------------------------------------------------------------------------------------------------
RESOLUTION:
Fixed the affected endpoint.
* 4089985 (Tracking ID: 4089983)
SYMPTOM:
Suspected HSTS Vulnerability in VIOM on 14161 and 5634 port.
DESCRIPTION:
By default httpHeaderSecurity is disabled in tomcat server and on 5634 port which can lead to HSTS vulnerability.
RESOLUTION:
Enabled the httpHeaderSecurity in tomcat server for 14161 port and for 5634 port.
* 4090027 (Tracking ID: 4090007)
SYMPTOM:
Security scan may suggest to remove example applications, documentation, and other directories of Apache Tomcat.
DESCRIPTION:
The security scan for Apache Tomcat suggests removal of below two example applications from VIOM Management Server :
LINUX CMS
1. /opt/VRTSsfmcs/webgui/tomcat/webapps/ROOT/
2. /opt/VRTSsfmcs/webgui/tomcat/webapps/host-manager/
WINDOWS CMS
1. C:\Program Files\Veritas\VRTSsfmcs\webgui\tomcat\webapps\ROOT
2. C:\Program Files\Veritas\VRTSsfmcs\webgui\tomcat\webapps\host-manager
In this patch we have completely removed host-manager directory and all tomcat related files from ROOT directory.
ROOT directory will still be present containing VIOM application specific files.
RESOLUTION:
The
Patch ID: vom-HF0800200
* 4086839 (Tracking ID: 4086838)
SYMPTOM:
at_migration.pl script may throw error if there are VIOM Agents running version 8.0 or higher.
DESCRIPTION:
Migration of old 1024 certificates to 2048 using at_migration.pl may not work if some of the VIOM Agents have version 8.0 or higher.
Note that at_migration.pl is only required to run when your VIOM Management Server is using 1024 bit certificates and you wish to move to 2048 bit certificates.
Please do not run the script if your VIOM environment is already using 2048 bit certificates.
RESOLUTION:
Added support for VIOM 8.x.
* 4086843 (Tracking ID: 4086841)
SYMPTOM:
N/A
DESCRIPTION:
Following features are implemented as part of 'US Federal Executive Order EL1 Logging requirements':
1. Timestamp format has been changed as per EO in every log statement.
2. Added FQDN (Linux)/ hostname(Windows) in every log statement as unique identifier.
3. In web server logs, added minimum logging fields such as Session ID, Source and Destination IPs (IPv4), Status Code, Response Time, Additional http headers etc. in every log statement.
4. Logging of the CLIs executed.
5. Logfile permission is changed to 600.
Post patch installation some manual changes are also needed for Web Server logging in case if your organization is looking for Logging changes as per US Federal Executive Order. Please refer below technote for more details.
https://www.veritas.com/support/en_US/doc/viom_technote_8.0.0.200
RESOLUTION:
N/A
* 4086847 (Tracking ID: 4086846)
SYMPTOM:
N/A
DESCRIPTION:
VIOM Management Servers and VIOM Agents do secure TLS1.2 communication. They use 2048 bit certificates to make the communication secure. These certificates may expire over a period of time and once they are expired, VIOM will stop working.
This new enhancement in VIOM will detect the certificates expiry days and will raise a fault when 120 days are remaining for certificates expiry. Admin can then perform the certificate renew operation from GUI (Settings -> Hosts -> Renew Certificates) to renew the certificates.
Refer technote for more details.
https://www.veritas.com/support/en_US/doc/viom_technote_8.0.0.200
RESOLUTION:
N/A
* 4086852 (Tracking ID: 4086851)
SYMPTOM:
Third party components vulnerability reported.
DESCRIPTION:
Following third party components have been upgraded-
Components Previous Version Upgraded Version Vulnerability IDs fixed
(VIOM 8.0.0.120) (VIOM 8.0.0.200)
PostgreSQL Database Server 10.21 14.1 CVE-2021-3393, BDSA-2019-4036, BDSA-2020-2096, BDSA-2020-2095,
CVE-2019-9193 (BDSA-2019-0895)
OpenJDK jdk8u332-b08 11.0.16.8.1 BDSA-2022-0129, BDSA-2022-0133, BDSA-2022-0134, BDSA-2022-1997, BDSA-2022-1995,
BDSA-2022-1993
Apache Xerces2 2.9.1 2.12.1 BDSA-2009-0005 (CVE-2009-2625), BDSA-2016-1289 (CVE-2013-4002),
CVE-2012-0881 (BDSA-2012-0077)
Apache Thrift 0.7.0 0.14.1 CVE-2015-3254, BDSA-2021-0373, CVE-2019-0205 (BDSA-2019-3340),
CVE-2018-1320 (BDSA-2018-4637), CVE-2016-5397 (BDSA-2017-3861)
Apache Tika 0.7 2.4.1 CVE-2022-33879 (BDSA-2022-1772), CVE-2018-11796 (BDSA-2018-3491), CVE-2018-1338,
CVE-2021-28657 (BDSA-2021-0824), CVE-2022-25169 (BDSA-2022-1352), BDSA-2020-0906,
CVE-2022-30126 (BDSA-2022-1353), CVE-2018-11761 (BDSA-2018-3316), CVE-2016-4434,
CVE-2018-11796 (BDSA-2018-3491), CVE-2018-1339, BDSA-2022-1517, CVE-2015-3271,
CVE-2018-1335, CVE-2016-6809
Spring Security 5.5.0 5.7.1 CVE-2022-22976 (BDSA-2022-1370), CVE-2021-22119 (BDSA-2021-2310),
CVE-2022-22978 (BDSA-2022-1369)
Apache santurio java 2.2.2 3.0.0 CVE-2021-40690 (BDSA-2021-2815)
RESOLUTION:
Fixed the affected endpoint.
* 4086855 (Tracking ID: 4086853)
SYMPTOM:
VIOM logs were growing beyond defined limit.
DESCRIPTION:
Management server and Management hosts logs inside VRTSsfmcs and VRTSsfmh folders are growing beyond defined limit.
RESOLUTION:
Fixed log file resource locking issue to rotate logs if size increases beyond defined limit.
* 4086861 (Tracking ID: 4086860)
SYMPTOM:
Faults are not listing under faults tab in VIOM GUI.
DESCRIPTION:
Fault page is not listing any fault under faults tab in VIOM GUI.
RESOLUTION:
Fixed an exception that blocking list of faults under faults tab.
* 4086867 (Tracking ID: 4086866)
SYMPTOM:
Mitigation for CVE-2020-9484 vulnerability.
DESCRIPTION:
CVE-2020-9484 vulnerability is present in Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103.
RESOLUTION:
Tomcat upgraded to 9.0.64 version which does not have CVE-2020-9484 vulnerability.
* 4086873 (Tracking ID: 4086872)
SYMPTOM:
Enable Flexible Storage Sharing check box is disabled in Create Disk Group operation on cluster.
DESCRIPTION:
FSS option is disabled by default on first page of DG creation and it is listing as enabled on summary( last page) of DG create operation on cluster.
RESOLUTION:
Fixed the data inconsistency in create DG operation. FSS option will be enabled by default in DG create operation on cluster if it is a CVM cluster and disks are exported.
* 4086990 (Tracking ID: 4086989)
SYMPTOM:
N/A
DESCRIPTION:
Two new VVR RVG faults detection support has been added in VIOM. The faults topic ids are
event.alert.vom.vvr.replication.srl.disabled
event.alert.vom.vvr.replication.rlink.detached
VIOM will raise SRL disabled fault when SRL volume in the RVG will be detected as 'DISABLED'. If the Rlink state for the RVG is 'DETACHED' then Rlink detached fault will get generated.
Refer technote for more details.
https://www.veritas.com/support/en_US/doc/viom_technote_8.0.0.200
RESOLUTION:
N/A
Patch ID: vom-HF0800120
* 4080541 (Tracking ID: 4080538)
SYMPTOM:
Spring framework vulnerabilities reported.
DESCRIPTION:
Spring framework upgrade to 5.3.21
RESOLUTION:
Upgraded Spring framework to latest version.
* 4080542 (Tracking ID: 4080540)
SYMPTOM:
Tomcat vulnerabilities reported.
DESCRIPTION:
Tomcat upgraded to 9.0.64
RESOLUTION:
Upgraded tomcat to latest version.
* 4080546 (Tracking ID: 4080545)
SYMPTOM:
google-gson vulnerabilities reported.
DESCRIPTION:
Upgraded google-gson jar to latest available version : 2.9.0
RESOLUTION:
Upgraded google-gson to latest version.
* 4080727 (Tracking ID: 4080726)
SYMPTOM:
N/A
DESCRIPTION:
Enabling Forward Secrecy Ciphers for "xprtld" service running on port 5634 on VIOM Management Servers and Agents.
Now, below TLSv1.2 Ciphers Suits is available for secure communication between VIOM CMS and Agents.
TLSv1.2 ciphers
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
RESOLUTION:
N/A
Patch ID: vom-HF0800110
* 4076527 (Tracking ID: 4076526)
SYMPTOM:
Tomcat vulnerabilities reported.
DESCRIPTION:
Tomcat upgraded to 9.0.63
RESOLUTION:
Upgraded tomcat to latest version.
* 4076531 (Tracking ID: 4076530)
SYMPTOM:
JAVA vulnerabilities reported.
DESCRIPTION:
JAVA upgrade to 8.332.08.1
RESOLUTION:
Upgraded JAVA to latest version.
* 4076534 (Tracking ID: 4076533)
SYMPTOM:
Spring framework vulnerabilities reported.
DESCRIPTION:
Spring framework upgrade to 5.3.19
RESOLUTION:
Upgraded Spring framework to latest version.
* 4076791 (Tracking ID: 4076790)
SYMPTOM:
jackson-databind vulnerabilities reported.
DESCRIPTION:
jackson-databind to 2.13.2.2
RESOLUTION:
Upgraded jackson-databind to latest version.
* 4076798 (Tracking ID: 4076797)
SYMPTOM:
PostgreSQL JDBC Driver vulnerabilities reported.
DESCRIPTION:
Upgrade PostgreSQL JDBC Driver (pgjdbc) 42.2.19 to latest available version (42.3.4)
RESOLUTION:
Upgraded PostgreSQL JDBC Driver to latest version.
* 4076801 (Tracking ID: 4076800)
SYMPTOM:
PostgreSQL Database Server vulnerabilities reported.
DESCRIPTION:
PostgreSQL Database Server upgraded from version 10.17 to latest available version (10.21)
RESOLUTION:
Upgraded PostgreSQL Database Server to latest version.
Patch ID: vom-HF0800100
* 4067024 (Tracking ID: 4067023)
SYMPTOM:
You may see tha /dev/nul file is getting created on VIOM Linux management server post 7.4.2.500 patch upgrade.
DESCRIPTION:
After applying VIOM patch 7.4.2.500 on Linux VIOM management server, /dev/nul file can be created on the system.
RESOLUTION:
Changed /dev/nul to /dev/null.
* 4067034 (Tracking ID: 4067033)
SYMPTOM:
N/A
DESCRIPTION:
The License Reconciliation is a feature that provides an effortless solution to compare InfoScale license usage data against each entitlement and includes a facility to view the effective license position summary of an organization. Refer below technotes for more details https://www.veritas.com/support/en_US/doc/viom_technote_7.4.2.600 - VIOM version 7.4.2
https://www.veritas.com/support/en_US/doc/viom_technote_8.0.0.100 - VIOM version 8.0
RESOLUTION:
N/A
* 4067041 (Tracking ID: 4067040)
SYMPTOM:
log4j2 vulnerabilities fixes
DESCRIPTION:
This patch upgrade log4j2 version to 2.17.1 on VIOM Management Servers to fix below mentioned vulnerabilities.
CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-4104, CVE-2021-44832, CVE-2019-17571
This hotfix is mandatory for VIOM Management Servers and Managed Hosts/Agents to fix the log4j2 vulnerabilities. This hotfix upgrades log4j component to version 2.17.1 on VIOM Management Servers and removes log4j jars from Windows Managed Hosts. Removal of log4j jars from Managed Hosts/Agents does not impact any VIOM functionality.
RESOLUTION:
Upgraded log4j2 to 2.17.1
* 4067046 (Tracking ID: 4067045)
SYMPTOM:
Apache Tomcat vulnerability issue CVE-2022-23181 in versions below 9.0.58.
DESCRIPTION:
This patch upgrade Apache Tomcat to version 9.0.58 to fix vulnerability CVE-2022-23181.
RESOLUTION:
Upgraded tomcat to version 9.0.58 in VIOM patch.
* 4067050 (Tracking ID: 4067049)
SYMPTOM:
'Per Core License Information' report does not show correct 'Core to License' value.
DESCRIPTION:
VIOM GUI -> Licensing perspective -> Report -> 'Per Core License Information' displays incorrect number of 'Core to License' w.r.t. InfoScale version.
RESOLUTION:
Fixed DB schema to get correct numbers of Core to License.
* 4067053 (Tracking ID: 4067052)
SYMPTOM:
Unable to get login using the Web API service in VIOM in 8.0
DESCRIPTION:
You may not be able to run '/vom/api/gencert' VIOM web API to generate certificate. This patch fixes the certificate generating issue.
While running /vom/api/gencert using curl command, you need to provide '-G' parameter in command to generate certificate.
e.g.
curl -G -g -k -d user=user -d password=password -d domain=ManagementServer_hostname https://ManagementServer_hostname:14161/vom/api/gencert > /root/cert.txt
RESOLUTION:
Fixed the /vom/api/gencert API and also updated VIOM 8.0 user guide to use '-G' option in /vom/api/gencert curl command.
* 4067056 (Tracking ID: 4067055)
SYMPTOM:
N/A
DESCRIPTION:
Veritas InfoScale Operations Manager supports the discovery of InfoScale hosts in an AWS cloud environment only if the hosts are running on Linux or Windows.
VIOM discovers AWS cloud parameters/properties for InfoScale Server hosted in AWS under Server and Availability perspectives along with other host parameters/properties. For more information, refer technote https://www.veritas.com/support/en_US/doc/viom_technote_8.0.0.100.
RESOLUTION:
N/A
* 4067058 (Tracking ID: 4067057)
SYMPTOM:
N/A
DESCRIPTION:
Veritas InfoScale Operations Manager discovers FULLFSCK flag on a VxFS file system every 24 hours. If the file system is corrupted, a fault 'SF_FILESYSTEM_CORRUPTED' is raised. For more information, refer technotes below.
https://www.veritas.com/support/en_US/doc/viom_technote_7.4.2.600 - VIOM version 7.4.2
https://www.veritas.com/support/en_US/doc/viom_technote_8.0.0.100 - VIOM version 8.0
RESOLUTION:
N/A
* 4067130 (Tracking ID: 4067129)
SYMPTOM:
InfoScale deployment details or some reports under Licensing perspective show InfoScale versions as N/A.
DESCRIPTION:
While checking InfoScale version under some of the Licensing reports or 'Deployment details' tab, you may see that InfoScale versions are getting displayed as N/A. You may see this issue on the InfoScale servers where only InfoScale Availability is installed.
RESOLUTION:
Added a fix to get the InfoScale version when only InfoScale Availability is installed.
* 4067133 (Tracking ID: 4067132)
SYMPTOM:
An authenticated remote attacker (administrative/root role) can inject arbitrary web script or HTML into HTTP/GET parameter which reflect the user input without sanitization.
DESCRIPTION:
Cross-site scripting Reflected (XSS) vulnerability affects the Veritas Operations Manager application, which allows authenticated remote attackers to inject arbitrary web script or HTML into HTTP/GET parameter which reflect the user input without sanitization.
It is required to have access to the web application as a user with administrative/root role.
Severity : Medium
Refer technote for more details.
https://www.veritas.com/support/en_US/doc/viom_technote_7.4.2.600 - VIOM version 7.4.2
https://www.veritas.com/support/en_US/doc/viom_technote_8.0.0.100 - VIOM version 8.0
RESOLUTION:
Fixed the affected endpoint.
* 4067136 (Tracking ID: 4067135)
SYMPTOM:
An authenticated remote attacker (administrative/root role) can manipulate the resource name in the GET requests referring to files with absolute paths, it is possible to access arbitrary files stored on the filesystem.
DESCRIPTION:
The web server fails to sanitize the input data allowing a remote authenticated attacker to read files on the filesystem arbitrarily.
By manipulating the resource name in the GET requests referring to files with absolute paths, it is possible to access arbitrary files stored on the filesystem.
It is required to have access to the web application as a user with administrative/root role.
Severity : Low
Refer technote for more details.
https://www.veritas.com/support/en_US/doc/viom_technote_7.4.2.600 - VIOM version 7.4.2
https://www.veritas.com/support/en_US/doc/viom_technote_8.0.0.100 - VIOM version 8.0
RESOLUTION:
Fixed the affected endpoint.
* 4067147 (Tracking ID: 4067146)
SYMPTOM:
N/A
DESCRIPTION:
VIOM Server administrator now can use Global VVR monitoring threshold wizard to set replication threshold values for all VVR in their environment.
Refer technote for more details.
https://www.veritas.com/support/en_US/doc/viom_technote_8.0.0.100
RESOLUTION:
N/A
INSTALLING THE PATCH
--------------------
IMPORTANT NOTE : Please take a backup of the database using the instructions given in the Admin guide before installing this Hotfix.
This Hotfix is applicable for VIOM 8.0 Managed Hosts as well as VIOM 8.0 Management Server.
1. Download the file vom-8.0.0.420.sfa
2. Launch a browser and login to the VIOM management server.
3. Navigate to Settings -> Deployment Icon.
4. Upload the Hotfix to the VIOM CMS using the Upload Solutions button.
The Hotfix vom-8.0.0.420 should be visible in the Hot Fixes tree node.
5. Please install this Hotfix on CS using the following instructions:
- Go to Settings -> Deployment -> Hot Fixes -> Veritas Infoscale Operations Manager Managed Host.
- Click on Hot Fixes Tab. Click on Applicable Hosts Tab.
- Right click on CS Name and click on Install
REMOVING THE PATCH
------------------
NONE
SPECIAL INSTRUCTIONS
--------------------
NONE
OTHERS
------
NONE
|
Why Register?
Get notifications about ASLs/APMs, HCLs, patches, and high availability agents
As a registered user, you can create notifications to receive updates about NetBackup Future Platform and Feature Plans, NetBackup hot fixes/EEBs in released versions, Array Support Libraries (ASLs)/Array Policy Modules (APMs), hardware compatibility lists (HCLs), patches and high availability agents. In addition, you can create system-specific notifications customized to your environment.
Compare configurations
The Compare Configurations feature lets you compare different system scans by the data collector. When you sign in, you can choose a target system, compare reports run at different times, and easily see how the system's configuration has changed.
Save configurations
After logging in, you can retrieve past reports, share reports with colleagues, review notifications you received, and retain custom settings. Anonymous users cannot access these features.
Bulk uploader
As a registered user,you can upload multiple reports, using the Bulk Uploader.