Note: The official patch has been released on vRSLCM 2.1 to address the log4j vulnerabilities. It is recommended to install the patch to address the vulnerabilities. The patch can be applied independent of whether the steps in the KB were applied earlier or not. The steps in the KB are an interim workaround until the release of the official patch.
For more details on patch please visit the release notes:
VMware-vRealize-Suite-Lifecycle-Manager-21-Patch-3-Release-NotesWorkaround:
Workaround:
1. Take a snapshot of the vRealize Suite Lifecycle Manager appliance
2. Copy the attached log4jfix-for-vrslcm2x.sh file to the /tmp directory
3. Log into vRSLCM appliance using root via SSH
4. Change to the /tmp directory
cd /tmp
5. Run the following command to make the log4jfix.sh script executable:
chmod +x log4jfix.sh
7. Run the following command to execute the script:
./log4jfix-for-vrslcm2x.sh
Verification:
1. Re-run the following command to execute the script:
./log4jfix-for-vrslcm2x.sh
The output of this command shall determine if the system has been modified correctly.
If the script had addressed all vulnerabilities then the output shall look like this:
Validating Log4j vulnerability for vRealize Suite Lifecycle Manager.
Validating vRSLCM war.
No impacted jar file was found for vRSLCM services.
Validating Blackstone service jar.
No impacted jar file was found for the Blackstone service.
If any vulnerability is found while running the script, then the script shall run over again to fix the vulnerabilities.