Workaround instructions to address CVE-2021-44228 and in vRealize Suite Lifecycle Manager 2.x
Article ID: 312290
Updated On:
Products
VMware Aria Suite
Issue/Introduction
Symptoms:
CVE-2021-44228 has been determined to impact vRealize Suite Lifecycle Manager 2.x via the Apache Log4j open source component it ships. This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:
CVE-2021-44228 - VMSA-2021-0028
Notice: On December 14, 2021 the Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 workarounds was not sufficient. We believe the instructions in this article to be an effective mitigation for CVE-2021-44228, but in the best interest of our customers we must assume this workaround may not adequately address all attack vectors.
We expect to fully address both CVE-2021-44228 and CVE-2021-45046 by updating log4j to version 2.17 in forthcoming releases of vRealize Suite Lifecycle Manager patch, as outlined by our software support policies. VMSA-2021-0028 will be updated when these releases are available. In the interim, we have updated this Knowledge Base article with revised guidance to remove all JndiLookup classes per Apache Software Foundation guidance. Please subscribe to this article to be informed when updates are published.
CVE-2021-44228 has been determined to impact vRealize Suite Lifecycle Manager 2.x via the Apache Log4j open source component it ships. This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:
CVE-2021-44228 - VMSA-2021-0028
Notice: On December 14, 2021 the Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 workarounds was not sufficient. We believe the instructions in this article to be an effective mitigation for CVE-2021-44228, but in the best interest of our customers we must assume this workaround may not adequately address all attack vectors.
We expect to fully address both CVE-2021-44228 and CVE-2021-45046 by updating log4j to version 2.17 in forthcoming releases of vRealize Suite Lifecycle Manager patch, as outlined by our software support policies. VMSA-2021-0028 will be updated when these releases are available. In the interim, we have updated this Knowledge Base article with revised guidance to remove all JndiLookup classes per Apache Software Foundation guidance. Please subscribe to this article to be informed when updates are published.
Environment
VMware vRealize Suite Lifecycle Manager 2.x
Resolution
Note: The official patch has been released on vRSLCM 2.1 to address the log4j vulnerabilities. It is recommended to install the patch to address the vulnerabilities. The patch can be applied independent of whether the steps in the KB were applied earlier or not. The steps in the KB are an interim workaround until the release of the official patch.
For more details on patch please visit the release notes:
VMware-vRealize-Suite-Lifecycle-Manager-21-Patch-3-Release-Notes
Workaround:
Workaround:
1. Take a snapshot of the vRealize Suite Lifecycle Manager appliance
2. Copy the attached log4jfix-for-vrslcm2x.sh file to the /tmp directory
3. Log into vRSLCM appliance using root via SSH
4. Change to the /tmp directory
cd /tmp
5. Run the following command to make the log4jfix.sh script executable:
chmod +x log4jfix.sh
7. Run the following command to execute the script:
./log4jfix-for-vrslcm2x.sh
Verification:
1. Re-run the following command to execute the script:
./log4jfix-for-vrslcm2x.sh
The output of this command shall determine if the system has been modified correctly.
If the script had addressed all vulnerabilities then the output shall look like this:
Validating Log4j vulnerability for vRealize Suite Lifecycle Manager.
Validating vRSLCM war.
No impacted jar file was found for vRSLCM services.
Validating Blackstone service jar.
No impacted jar file was found for the Blackstone service.
If any vulnerability is found while running the script, then the script shall run over again to fix the vulnerabilities.
For more details on patch please visit the release notes:
VMware-vRealize-Suite-Lifecycle-Manager-21-Patch-3-Release-Notes
Workaround:
Workaround:
1. Take a snapshot of the vRealize Suite Lifecycle Manager appliance
2. Copy the attached log4jfix-for-vrslcm2x.sh file to the /tmp directory
3. Log into vRSLCM appliance using root via SSH
4. Change to the /tmp directory
cd /tmp
5. Run the following command to make the log4jfix.sh script executable:
chmod +x log4jfix.sh
7. Run the following command to execute the script:
./log4jfix-for-vrslcm2x.sh
Verification:
1. Re-run the following command to execute the script:
./log4jfix-for-vrslcm2x.sh
The output of this command shall determine if the system has been modified correctly.
If the script had addressed all vulnerabilities then the output shall look like this:
Validating Log4j vulnerability for vRealize Suite Lifecycle Manager.
Validating vRSLCM war.
No impacted jar file was found for vRSLCM services.
Validating Blackstone service jar.
No impacted jar file was found for the Blackstone service.
If any vulnerability is found while running the script, then the script shall run over again to fix the vulnerabilities.
Additional Information
https://www.vmware.com/security/advisories/VMSA-2021-0028.html
Change Log:
Change Log:
- December 21st, 2021 - 10:45 IST: Drafted initial document with an initial workaround.
- December 21st, 2021 - 11 IST: Added support for 2.x with new script log4jfix-for-vrslcm2x.sh uploaded
- February 10th, 2022 - 4 PM IST: Official patch have been released on vRSLCM version to address the log4j vulnerabilities
Attachments
Feedback
Yes
No
Powered by
