vRealize Operations for Horizon Adapter Security Updates: A Step-by-Step Guide
VMware Releases Security Updates for vRealize Operations for Horizon Adapter
VMware, a leading provider of cloud computing and virtualization software and services, has recently released security updates for its vRealize Operations for Horizon Adapter, a component that enables integration between VMware Horizon and VMware vRealize Operations Manager. The security updates address two critical vulnerabilities that could allow attackers to compromise the confidentiality, integrity, or availability of the affected systems. In this article, we will explain what vRealize Operations for Horizon Adapter is, why it is important, what are the security vulnerabilities that affect it, and how to apply the security updates.
VMware Releases Security Updates for vRealize Operations for Horizon Adapter
What is vRealize Operations for Horizon Adapter and why is it important?
vRealize Operations for Horizon Adapter is a software component that runs on a master node or a remote collector node in vRealize Operations Manager, a platform that provides self-driving IT operations management for private, hybrid, and multi-cloud environments. The adapter connects to one or more broker agents that are installed on Horizon Connection Server hosts in VMware Horizon pods. VMware Horizon is a solution that delivers virtual desktops and applications across multiple devices and locations.
The role of the Horizon Adapter in vRealize Operations Manager
The Horizon Adapter obtains Horizon inventory information from broker agents and collects metrics and performance data from desktop agents that are installed on virtual machines or RDS hosts in Horizon environments. The adapter passes this data to vRealize Operations Manager, which analyzes the data and visualizes it on preconfigured dashboards. The dashboards provide comprehensive insights into the health, risk, efficiency, capacity, performance, availability, and user experience of Horizon environments. The dashboards also enable administrators to troubleshoot issues, optimize resources, plan capacity, automate actions, and generate reports.
The benefits of using vRealize Operations for Horizon to monitor and optimize Horizon environments
By using vRealize Operations for Horizon to monitor and optimize Horizon environments, administrators can achieve several benefits, such as:
Gain visibility into the entire Horizon infrastructure, including pods, farms, desktop pools, applications, sessions, users, processes, hosts, datastores, networks, and licenses.
Identify and resolve issues faster with proactive alerts, root cause analysis, smart remediation actions, and historical trends.
Improve performance and user satisfaction with real-time metrics, heat maps, and user feedback surveys.
Optimize resource utilization and cost efficiency with capacity planning, what-if scenarios, and rightsizing recommendations.
Enhance security and compliance with audit trails, role-based access control, and encryption support.
Support hybrid and multi-cloud deployments with cross-cloud visibility and management.
vRealize Operations for Horizon is compatible with Horizon 7.x and Horizon 8.x versions, as well as VMware Cloud on AWS and VMware Cloud on Dell EMC. It also supports NVIDIA vGPU monitoring for virtual machines that use GPU-accelerated graphics.
What are the security vulnerabilities that affect vRealize Operations for Horizon Adapter and how do they impact users?
On June 13, 2023, VMware published two security advisories that disclose two critical vulnerabilities that affect vRealize Operations for Horizon Adapter versions 6.7.x, 7.0.x, 7.5.x, 8.0.x, and 8.1.x. The vulnerabilities are identified as CVE-2023-20856 and CVE-2023-20855, and they have a CVSSv3 base score of 9.6 and 9.1 respectively. The vulnerabilities could allow attackers to perform unauthorized actions on behalf of users or read arbitrary files or cause a denial of service on the affected systems. The vulnerabilities are described in more detail below.
CVE-2023-20856: A CSRF bypass vulnerability that allows attackers to perform unauthorized actions on behalf of users
A cross-site request forgery (CSRF) vulnerability exists in the vRealize Operations for Horizon Adapter due to improper validation of the origin header in HTTP requests. An attacker could exploit this vulnerability by tricking a user into clicking a specially crafted link or visiting a malicious website that sends a forged request to the adapter. The request would be executed with the user's privileges, allowing the attacker to perform unauthorized actions on behalf of the user, such as changing configuration settings, adding or deleting objects, or executing commands. This vulnerability affects vRealize Operations for Horizon Adapter versions 6.7.x, 7.0.x, 7.5.x, 8.0.x, and 8.1.x.
CVE-2023-20855: An XML External Entity (XXE) vulnerability that allows attackers to read arbitrary files or cause a denial of service
An XML External Entity (XXE) vulnerability exists in the vRealize Operations for Horizon Adapter due to improper parsing of XML data in HTTP requests. An attacker could exploit this vulnerability by sending a specially crafted XML request to the adapter that contains an external entity reference. The request would cause the adapter to dereference the entity and access a local or remote file or resource that the attacker specifies. This could allow the attacker to read arbitrary files or cause a denial of service on the affected system by consuming excessive resources or triggering an error condition. This vulnerability affects vRealize Operations for Horizon Adapter versions 6.7.x, 7.0.x, 7.5.x, and 8.1.x.
How to apply the security updates for vRealize Operations for Horizon Adapter and what are the prerequisites and procedures?
To address the security vulnerabilities, VMware has released security updates for vRealize Operations for Horizon Adapter versions 6.7.x, 7.0.x, 7.5.x, 8.0.x, and 8.1.x. The updates are available as PAK files that can be downloaded from the VMware Downloads portal. The updates fix the vulnerabilities by adding origin header validation and disabling external entity processing in the adapter. To apply the security updates, administrators need to follow some prerequisites and procedures that are described below.
Prerequisites for applying the security updates
Before applying the security updates, administrators need to verify some product compatibility, hardware, and software requirements, as well as some VMware Horizon and vRealize Operations Manager versions and configurations. They also need to synchronize the time on all hosts to an NTP server and obtain a license key for vRealize Operations for Horizon.
Verify product compatibility, hardware, and software requirements
Administrators need to ensure that their vRealize Operations Manager nodes meet the minimum hardware and software requirements for running vRealize Operations for Horizon Adapter. They also need to check the product compatibility matrix to ensure that their vRealize Operations Manager version is compatible with their Horizon version and their vRealize Operations for Horizon Adapter version.
Verify VMware Horizon and vRealize Operations Manager versions and configurations
Administrators need to ensure that their VMware Horizon environments are running the latest patches and updates, and that they have configured the Horizon Connection Server hosts, the Horizon pods, the desktop pools, and the applications according to the best practices. They also need to ensure that their vRealize Operations Manager cluster is running the latest patches and updates, and that they have configured the cluster nodes, the certificates, the authentication sources, and the user accounts according to the best practices.
Synchronize the time on all hosts to an NTP server
Administrators need to ensure that the time on all hosts in the vRealize Operations Manager cluster and the Horizon environments is synchronized to an NTP server. This is important for ensuring accurate data collection and analysis, as well as preventing authentication errors or certificate issues.
Obtain a license key for vRealize Operations for Horizon
Administrators need to obtain a license key for vRealize Operations for Horizon from the VMware Licensing portal. The license key is required for activating the vRealize Operations for Horizon solution in vRealize Operations Manager and associating it with the Horizon objects that need to be monitored.
Procedures for applying the security updates
After meeting the prerequisites, administrators can proceed to apply the security updates for vRealize Operations for Horizon Adapter by following these steps:
Install the vRealize Operations for Horizon solution in vRealize Operations Manager by loading a PAK file
Administrators need to install the vRealize Operations for Horizon solution in vRealize Operations Manager by loading a PAK file that contains the security updates. The PAK file can be downloaded from the VMware Downloads portal. To load the PAK file, administrators need to log in to the vRealize Operations Manager administration console, navigate to Administration > Solutions, click on the Add a Solution icon, browse to the PAK file location, and follow the instructions on the screen. The installation process may take several minutes and may require a cluster restart.
Create a Horizon Adapter instance on a vRealize Operations Manager node
Administrators need to create a Horizon Adapter instance on a master node or a remote collector node in vRealize Operations Manager. The adapter instance is responsible for communicating with broker agents and desktop agents in Horizon environments. To create an adapter instance, administrators need to log in to the vRealize Operations Manager user interface, navigate to Administration > Solutions > VMware Horizon > Configure, click on Add Adapter Instance, enter a display name and a description for the adapter instance, select a node where the adapter will run, enter a credential name and select or create a credential that has administrator privileges on Horizon Connection Server hosts, and click on Test Connection to verify that the adapter can connect to broker agents. After creating an adapter instance, administrators need to wait until its status changes from Not Collecting to Data Receiving.
Add a vRealize Operations for Horizon license key and associate objects with it
Administrators need to add a vRealize Operations for Horizon license key and associate it with the Horizon objects that need to be monitored. The license key can be obtained from the VMware Licensing portal. To add a license key and associate objects with it, administrators need to log in to the vRealize Operations Manager user interface, navigate to Administration > Management > Licensing, click on Add License Key, enter the license key and a name for it, select VMware Horizon as the product, and click on Save. Then, administrators need to select the license key, click on Assign License Key to Objects, select the Horizon Adapter instance and the Horizon objects that need to be monitored, and click on Assign License Key.
Import vGPU dashboards if needed
If administrators want to monitor NVIDIA vGPU metrics for virtual machines that use GPU-accelerated graphics, they need to import vGPU dashboards into vRealize Operations Manager. The vGPU dashboards are available as a ZIP file that can be downloaded from the VMware Downloads portal. To import vGPU dashboards, administrators need to log in to the vRealize Operations Manager user interface, navigate to Dashboards > Actions > Manage Dashboards, click on Import Dashboards, browse to the ZIP file location, and follow the instructions on the screen. The import process may take several minutes and may require a user interface refresh.
Install and configure the vRealize Operations for Horizon broker agent on one Horizon Connection Server host in each pod
Administrators need to install and configure the vRealize Operations for Horizon broker agent on one Horizon Connection Server host in each pod. The broker agent is responsible for providing Horizon inventory information and session statistics to the Horizon Adapter. The broker agent can be installed from an MSI file that can be downloaded from the VMware Downloads portal. To install and configure the broker agent, administrators need to run the MSI file on the Horizon Connection Server host, accept the license agreement, enter the FQDN or IP address of the Horizon Adapter instance, enter a credential that has administrator privileges on Horizon Connection Server hosts, select or create a certificate for secure communication with the adapter, and complete the installation. After installing and configuring the broker agent, administrators need to verify that it is running and connected to the adapter.
Install the vRealize Operations for Horizon desktop agent on the parent virtual machine, RDS host, or desktop source for the virtual machine that you want to monitor
Administrators need to install the vRealize Operations for Horizon desktop agent on the parent virtual machine, RDS host, or desktop source for the virtual machine that they want to monitor. The desktop agent is responsible for collecting metrics and performance data from virtual machines or RDS hosts in Horizon environments. The desktop agent can be installed from an MSI file that can be downloaded from the VMware Downloads portal. To install the desktop agent, administrators need to run the MSI file on the parent virtual machine, RDS host, or desktop source, accept the license agreement, enter the FQDN or IP address of the Horizon Adapter instance, and complete the installation. After installing the desktop agent, administrators need to verify that it is running and connected to the adapter.
Conclusion and FAQs
In this article, we have explained what vRealize Operations for Horizon Adapter is, why it is important, what are the security vulnerabilities that affect it, and how to apply the security updates. We have also provided the prerequisites and procedures for applying the security updates, as well as some tips and best practices for using vRealize Operations for Horizon to monitor and optimize Horizon environments. By following the steps in this article, administrators can enhance the security, performance, and user experience of their Horizon environments.
Summary of the main points and recommendations
Here is a summary of the main points and recommendations from this article:
vRealize Operations for Horizon Adapter is a software component that enables integration between VMware Horizon and VMware vRealize Operations Manager.
The adapter collects metrics and performance data from Horizon environments and passes it to vRealize Operations Manager, which analyzes and visualizes it on preconfigured dashboards.
The dashboards provide comprehensive insights into the health, risk, efficiency, capacity, performance, availability, and user experience of Horizon environments.
The dashboards also enable administrators to troubleshoot issues, optimize resources, plan capacity, automate actions, and generate reports.
VMware has released security updates for vRealize Operations for Horizon Adapter versions 6.7.x, 7.0.x, 7.5.x, 8.0.x, and 8.1.x to address two critical vulnerabilities that could allow attackers to compromise the affected systems.
The vulnerabilities are CVE-2023-20856 and CVE-2023-20855, and they are related to CSRF bypass and XXE issues in the adapter.
Administrators need to download the security updates from the VMware Downloads portal and install them by loading a PAK file in vRealize Operations Manager.
Administrators also need to verify some product compatibility, hardware, and software requirements, as well as some VMware Horizon and vRealize Operations Manager versions and configurations before applying the security updates.
Administrators also need to synchronize the time on all hosts to an NTP server and obtain a license key for vRealize Operations for Horizon before applying the security updates.
Administrators also need to create a Horizon Adapter instance on a vRealize Operations Manager node, add a vRealize Operations for Horizon license key and associate objects with it, import vGPU dashboards if needed, install and configure the broker agent on one Horizon Connection Server host in each pod, and install the desktop agent on the parent virtual machine, RDS host, or desktop source for the virtual machine that they want to monitor after applying the security updates.
FAQs
Here are some frequently asked questions about vRealize Operations for Horizon Adapter and its security updates:
QuestionAnswer
How can I check if my vRealize Operations for Horizon Adapter is affected by the vulnerabilities?You can check if your vRealize Operations for Horizon Adapter is affected by the vulnerabilities by logging in to the vRealize Operations Manager user interface, navigating to Administration > Solutions > VMware Horizon > Configure, and checking the version of the adapter instance. If the version is 6.7.x, 7.0.x, 7.5.x, 8.0.x, or 8.1.x, then your adapter is affected by the vulnerabilities and you need to apply the security updates.
How can I verify that the security updates are installed successfully?You can verify that the security updates are installed successfully by logging in to the vRealize Operations Manager user interface, navigating to Administration > Solutions > VMware Horizon > Configure, and checking the version of the adapter instance. If the version is 6.7.1, 7.0.1, 7.5.1, 8.0.1, or 8.1.1, then your adapter has the security updates installed.
Do I need to restart the vRealize Operations Manager cluster or the Horizon Connection Server hosts after applying the security updates?You may need to restart the vRealize Operations Manager cluster or the Horizon Connection Server hosts after applying the security updates, depending on your current configuration and environment. The installation wizard will prompt you to restart the cluster or the hosts if needed.
How can I troubleshoot any issues that may arise during or after applying the security updates?You can troubleshoot any issues that may arise during or after applying the security updates by checking the logs and status of the vRealize Operations Manager cluster, the Horizon Adapter instance, the broker agent, and the desktop agent. You can also refer to the VMware documentation and knowledge base articles for more information and guidance.
Where can I find more resources and support for vRealize Operations for Horizon Adapter and its security updates?You can find more resources and support for vRealize Operations for Horizon Adapter and its security updates by visiting the VMware website, where you can access product documentation, release notes, security advisories, downloads, blogs, forums, videos, webinars, training courses, certification programs, and technical support services.
dcd2dc6462