Workaround instructions to address CVE-2021-44228 in VMware Cloud Provider Lifecycle Manager 1.1 and 1.2
book
Article ID: 312298
calendar_today
Updated On:
Products
VMware Cloud on AWS
Issue/Introduction
Symptoms: CVE-2021-44228 has been determined to impact VMware Cloud Provider Lifecycle Manager 1.1 and 1.2 via the Apache Log4j open source component it ships. This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:
We will release an interop bundle update soon, which will bring a fix for this issue (basically the same fix as we apply in this KB)
Workaround: To apply the fix, we recommend the following:
For VCP LCM 1.2: The following procedure describes how to update the script to start VCP LCM with an additional argument to not use log4j JNDI lookups. 1. Login as vcplcm user, sudo to root 2. Update the main application to remove the JNDILookup class from log4j. This is done by running the following commands: mkdir -p /tmp/fix-jar; unzip /opt/vmware/cplcm/bin/cplcm-rest-api.jar -d /tmp/fix-jar; zip -q -d /tmp/fix-jar/BOOT-INF/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class; jar -c0Mf /tmp/fix-jar/cplcm-rest-api.jar -C /tmp/fix-jar/ BOOT-INF/ -C /tmp/fix-jar/ META-INF/ -C /tmp/fix-jar/ org/;
3. Replace the jar file with the updated one. To do this, run the following commands: chmod +w /opt/vmware/cplcm/bin/cplcm-rest-api.jar; cp /tmp/fix-jar/cplcm-rest-api.jar /opt/vmware/cplcm/bin/cplcm-rest-api.jar; chmod -w /opt/vmware/cplcm/bin/cplcm-rest-api.jar
4. Remove the temp directory that was created in step 2: rm -rf /tmp/fix-jar
5. Restart the VCP LCM service by running the following command: systemctl restart vcplcm-api
For VCP LCM 1.1: Add an additional environment variable to the start command of the docker container:
-e LOG4J_FORMAT_MSG_NO_LOOKUPS=true
E.g. start VCP LCM with the following docker command:
Impact/Risks: A malicious actor with network access to an impacted VMware product may exploit this issue to invoke remote code execution. VMware Cloud Provider Lifecycle Manager 1.1 and 1.2 contain the log4j library and require this workaround