VMware Identity Manager Patches for Security Vulnerabilities

Details

In response to the following Apache Tomcat security vulnerability:
CVE-2017-12617 (Apache Tomcat Remote Code Execution via JSP Upload) 

As well as the following JRE security vulnerabilities:
CVE-2017-10346
CVE-2017-10285
CVE-2017-10388
CVE-2017-10309

VMware Identity Manager versions that ship with a version of Apache Tomcat that is affected by CVE-2017-12617:
  • VMware Identity Manager version 3.0 (Linux)
  • VMware Identity Manager version 9.2 (Windows)
  • VMware Identity Manager Connector 2017.8.1.0 (Linux)
  • VMware Identity Manager Connector component of VMware Enterprise Systems Connector 9.2 (Windows)
  • VMware Identity Manager version 2.9, 2.9.1.0, or 2.9.2.0 (Linux)
  • VMware Identity Manager version 9.1.x (Windows)
  • VMware Identity Manager Connector 2017.4.1, 2017.5.1.0, 2017.7.1.0 (Linux)
  • VMware Identity Manager Connector component of VMware Enterprise Systems Connector 9.1.x (Windows)
VMware Identity Manager versions that ship with a version of JRE affected by CVE-2017-10346, CVE-2017-1028:
  • VMware Identity Manager version 3.0 (Linux)
  • VMware Identity Manager version 9.2 (Windows)
  • VMware Identity Manager Connector 2017.8.1.0 (Linux)
  • VMware Identity Manager Connector component of VMware Enterprise Systems Connector 9.2 (Windows)
  • VMware Identity Manager version 2.9 to 2.9.2.1 (Linux)
  • VMware Identity Manager version 9.1.x (Windows)
  • VMware Identity Manager Connector 2017.4.1 to 2017.7.1.1 (Linux)
  • VMware Identity Manager Connector component of VMware Enterprise Systems Connector 9.1.x (Windows)

Solution

This VMware KB article provides instructions on how to update the Apache Tomcat version and JRE versions in VMware Identity Manager to a version that is not affected by these CVEs. Further investigation has shown that these CVEs do not affect vIDM.

Have more questions? Submit a request

0 Comments

Article is closed for comments.