Yves' Blog

vCloud Director 9.5.0.3 (critical security update) - Update instructions

VMware has released on 28-March 2019 vCloud Director 9.5.0.3 which includes a highly critical security patch which should be installed as soon as possible by all service providers running vCloud Director 9.5.

Security issue at hand:

VMware vCloud Director for Service Providers update resolves a Remote Session Hijack vulnerability in the Tenant and Provider Portals. Successful exploitation of this issue may allow a malicious actor to access the Tenant or Provider Portals by impersonating a currently logged in session.

Personal note / comment (I started to add this as I get often asked to evaluate the "real criticality/risk factor" by our strategic accounts):

This is a very critical issue which could directly affect customer/tenant data security, therefore I advice to give the test and upgrade procedure highest priority. Ensure this get's validated on test infrastructure before applied to production systems.



Release Notes: https://docs.vmware.com/en/vCloud-Director/9.5/rn/vCloud-Director-9503-for-Service-Providers-Release-Notes.html

Security Advisory: https://www.vmware.com/security/advisories/VMSA-2019-0004.html


Prerequisites for this update:

  • Read the Release Notes (above)
  • If you are already running vCloud Director 9.5 then no backend database service update (like from PostgreSQL 9.5 to 10) is required, if you need that please read my blog post on vCloud Director database upgrades.
  • Backup, database and cell services (NO just a snapshot is NOT good enough!)
  • Test your update/upgrade on your test system

Update procedure:

  1. Upload the new binaries (My VMware link) to your vCloud Director cells.
  2. Mark the file executable.

    chmod a+x vmware-vcloud-director-distribution-9.5.0-12985626.bin
  3. Install the upgrade:

    [[email protected] ~]# ./vmware-vcloud-director-distribution-9.5.0-12985626.bin
    Checking free disk space...done
    Checking for a supported Linux distribution...Detected CentOS7 system
    done
    Checking for necessary RPM prerequisites...done
    Extracting VMware vCloud Director. Please wait, this could take a few minutes...
    vmware-vcloud-director-23.2019.03.25-12982517.x86_64.rpm
    vmware-vcloud-director-rhel-23.2019.03.25-12982517.x86_64.rpm
    vmware-vcloud-director-h5ui-23.2019.03.25-12982517.x86_64.rpm
    vmware-phonehome-1.0.0-9490868.noarch.rpm
    done
    Verifying RPM signatures...done
    
    An older version of VMware vCloud Director has been detected and will be
    upgraded to 9.5.0.
    
    If you choose to proceed, the installer will stop the vmware-vcd service,
    back up any configuration files from the previous release and migrate the
    product configuration as necessary.
    
    Would you like to upgrade now? (y/n)? y
    Upgrading VMware vCloud Director...
    
    Waiting indefinitely for all active jobs on this cell to complete, if you
    would like to limit how long this process will wait you can cancel this at
    any time via CTRL+C and re-run providing the --abort-tasks-after-minutes
    flag indicating the maximum number of minutes to wait for jobs to complete.
    
    Successfully entered maintenance mode.
    Stopping vmware-vcd-watchdog:                              [  OK  ]
    Stopping vmware-vcd-cell:                                  [  OK  ]
    Installing the VMware vCloud Director 9.5.0 RPM...
    warning: vmware-vcloud-director-23.2019.03.25-12982517.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID 66fd4949: NOKEY
    Preparing...                          ################################# [100%]
    Updating / installing...
       1:vmware-vcloud-director-rhel-23.20################################# [ 14%]
       2:vmware-vcloud-director-23.2019.03warning: /opt/vmware/vcloud-director/etc/global.properties created as /opt/vmware/vcloud-director/etc/global.properties.rpmnew
    ################################# [ 29%]
       3:vmware-vcloud-director-h5ui-23.20################################# [ 43%]
       4:vmware-phonehome-1.0.0-9490868   ################################# [ 57%]
    Cleaning up / removing...
       5:vmware-vcloud-director-h5ui-23.20################################# [ 71%]
       6:vmware-vcloud-director-23.2018.11################################# [ 86%]
    Update completed.
       7:vmware-vcloud-director-rhel-23.20################################# [100%]
    done
    No DSA certificates found; disabling DSA ciphers for SSL/TLS connections. See KB 2056026 for details
    
    
    Upgrade installation complete.
    Next steps:
    
    You will need to upgrade the database schema before starting the
    vmware-vcd service.  The product upgrade tool should be run only once per
    vCloud Director group. The tool may be run with the following command:
    /opt/vmware/vcloud-director/bin/upgrade
    
    
  4. Database upgrade (only on one cell!):

    [[email protected] ~]# /opt/vmware/vcloud-director/bin/upgrade
    Welcome to the vCloud Director upgrade utility
    
    Verify that you have a valid license key to use the version of the
    vCloud Director software to which you are upgrading.
    
    This utility will apply several updates to the database. Please
    ensure you have created a backup of your database prior to continuing.
    
    
    Do you wish to upgrade the product now? [Y/N] y
    Examining database at URL: jdbc:postgresql://10.200.117.51:5432/vcloud?socketTimeout=90
    The next step in the upgrade process will change the vCloud Director database schema.
    Backup your database now using the tools provided by your database vendor.
    Enter [Y] after the backup is complete. y
    Running 5 upgrade tasks
    Executing upgrade task:
    Successfully ran upgrade task
    Executing upgrade task:
    Successfully ran upgrade task
    Executing upgrade task:
    Successfully ran upgrade task
    Executing upgrade task:
    ..../Successfully ran upgrade task
    Executing upgrade task:
    Successfully ran upgrade task
    Database upgrade complete
    Upgrade complete
    
    Would you like to start the vCloud Director service now? If you choose not
    to start it now, you can manually start it at any time using this command:
    service vmware-vcd start
    
    Start it now? [y/n] y
    
    Starting vmware-vcd-watchdog:                              [  OK  ]
    Starting vmware-vcd-cell                                   [  OK  ]
    
    
    
  5. Done, please validate your vCloud Director instance according to standard test procedures.