All of VMware’s EUC products were continuously updated (in recent years almost always every 3 months) to add new features, fix bugs and mitigate security vulnerabilities.
The move to Broadcom and the subsequent sell of EUC products in Omnissa has brought a few months of stabilization… but I’m happy to announce that versions 2406 of the App Volumes and Unified Access Gateway products are out.
What do we find new?
App Volumes
Persistent Desktop Support
Expanded Use Cases: New support for classic Windows desktop environments, a significant enhancement to our Apps Everywhere strategy. This new feature extends our efficient one-to-many provisioning model, previously available only for non-persistent desktops, to persistent virtual desktop environments.
And more…
Replicate Application Packages in Specific Stages
We are excited to introduce the Replicate Application Packages in Specific Stages feature, designed to enhance the life cycle management of applications across multiple instances of App Volumes Manager
And more…
Select a specific Package Version when Launching an App (Technology Preview)
Many times I found myself having to demonstrate that the communication between the Unified Access Gateway and the Connection Servers was not working due to problems with poorly configured firewall rules. A very useful test is to connect to the UAG console and launch the classic CURL command:
curl -v -k https://<FQDN or IP ADDRESS CS>:443/
the outcome of which is as follows if the connection is ok (HTML output)
or the following if the connection is not enabled on the firewall
At the end of March 2023, new versions of the products that make up the Horizon suite were released. (Connection Server, Volume App, DEM, and Unified Access Gateway)
There are several interesting features, below I report the link to each release note.
I bring to your attention the presence of AppVolume in a preview solution related to the use of AppVolume in the Azure environment. (This deployment option is intended for applications packages and not Writable Volumes)
It often happens to forget the existence of UAG (Unified Access Gateway) in a VMware Horizon infrastructure and consequently also of root and admin passwords.
Let us remember that the UAG is the object of a Horizon infrastructure, exposed to the outside and therefore more subject to informed attacks. So, it is good and right to keep it constantly updated.
So if we forgot the root and admin passwords of our virtual appliance VMWare has the necessary documentation to reset these accounts, which you can find in these links:
Lately, it happened to me on a customer that even if the root user’s password had been reset, he still did not log in, the error was as follows:
The cause of the problem is the deactivation of the root user shell, evidence of this situation is in the /etc/passwd file of the virtual appliance which is thus configured for the root user
(The following commands can be executed by accessing the virtual appliance console in the manner indicated for changing the root user’s password and are available at this link)
cat /etc/passwd
To fix the situation, simply run the following command:
At this point, we restart with the command reboot -f and we will be enabled to access.
On December 14, 2021 the Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 workarounds was not sufficient. We believed the previous instructions in this article to be an effective mitigation for CVE-2021-44228, but in the best interest of our customers, we must assume the earlier workaround may not adequately address all attack vectors.
We need to run a script:
#!/bin/bash
# Log contents to file by prefixing timestamp. Maximum file size is 50MB
function log_to_console() {
echo "$(date +'%Y-%m-%d %T')" "$HOSTNAME" "$@"
}
log_to_console "Running script to remove JndiLookup.class from jars in Unified Access Gateway"
log_to_console "UAG Version: " $(tail -1 /opt/vmware/gateway/logs/version.info 2>/dev/null)
mkdir /tmp/test
mkdir /tmp/bkp
log_to_console "Unpacking archive and removing JndiLookup.class"
cp /opt/vmware/gateway/lib/ab-frontend-0.2.jar /tmp/bkp
unzip -q -o /opt/vmware/gateway/lib/ab-frontend-0.2.jar -d /tmp/test
unzip -q -o /tmp/test/hc.war -d /tmp/test/hc
zip -dq /tmp/test/hc/WEB-INF/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
rm /tmp/test/hc.war
cd /tmp/test/hc
zip -r -q ../hc.war .
cd ..
rm -rf hc
log_to_console "Repackaging archive"
zip -r -q ab-frontend-0.2.jar .
chown gateway:users ab-frontend-0.2.jar
mv ab-frontend-0.2.jar /opt/vmware/gateway/lib
log_to_console "Replaced updated ab-frontend-0.2.jar, now looking for jndi in other places"
find / -type f \( -name "*.jar" -o -name *.war \) -exec sh -c "zipinfo -1 {} 2>/dev/null | grep 'JndiLookup.class' && echo {}" \; | grep .jar | while read -r line ; do
jar_path=$line
log_to_console "Updating $jar_path"
zip -dq $jar_path org/apache/logging/log4j/core/lookup/JndiLookup.class
chown gateway:users $jar_path
done
log_to_console "Restarting authbroker"
supervisorctl restart authbroker
log_to_console "Cleaning up."
cd /tmp
rm -rf /tmp/test
log_to_console "Verification: We are good if no jars are listed below"
find / -type f \( -name "*.jar" -o -name *.war \) -exec sh -c "zipinfo -1 {} 2>/dev/null | grep 'JndiLookup.class' && echo {}" \;
log_to_console "Verification: Grep authbroker-std-out.log for log4j errors, we are good if no exception is displayed below"
cat /opt/vmware/gateway/logs/authbroker-std-out.log | grep log4j
log_to_console "Done!"
Well we need to connect to UAG and create a uag_rm_log4j_jndilookup.sh file
vi uag_rm_log4j_jndilookup.sh
copy into the file the code, and enable it for execution
chmod +x uag_rm_log4j_jndilookup.sh
running the script
./uag_rm_log4j_jndilookup.sh
now if the UAG version is between 2009 and 2111 it is also necessary to set the -Dlog4j2.formatMsgNoLookups=true option on the authbroker service with the following commands. Note the space between “s/java /java” and a space after “true /” in the command, these are important to ensure the command works correctly and doesn’t attempt to modify the wrong lines in the configuration file.
sed -i ‘s/java /java -Dlog4j2.formatMsgNoLookups=true /’ /opt/vmware/gateway/supervisor/conf/authbroker.ini
In the middle of December month, we found a “little exploit”……
Ok it is not a joke, for mitigate on UAG (Unified Access Gateway that is a Security Server exposed on the Internet for remote access at Horizon infrastructure) it is necessary (To apply the workaround for CVE-2021-44228 to Unified Access Gateway version 2009 through to 2111):
Connect to UAG server with SSH Session
Check if SSH is enabled on UAG server to accept root connection.
Connect from WEB console or VMware Remote Console to UAG virtual appliance and modify in /etc/ssh/sshd_config the following line (for modify use vi commands):
PermitRootLogin no
to
PermitRootLogin yes
Save the file
Restart SSHD service with this command:
service sshd restart
now you are able to create an SSH connection to UAG server, REMEMBER TO DISABLE SSH CONNECTION FOR ROOT USER WITH ROLLBACK THE SETTING INTO SSHD_CONFIG FILE
Append the fix -Dlog4j2.formatMsgNoLookups=true
Type this command:
sed -i ‘s/java /java -Dlog4j2.formatMsgNoLookups=true /’ /opt/vmware/gateway/supervisor/conf/authbroker.ini
Assign Users or Groups permission to Enterprise application
Import XML on UAG and configure it
Import Identity Provider Metadata, select the file XML downloaded from the Enterprise Application data
Select the identity provider
Select More Option
And select SAML e the correct Identity provider (with SAML+PASSTROUGHT the identity token will not passed to horizon Server and it will required a new autentication)