Workaround instructions to address CVE-2021-44228 in vSphere ESX Agent Manager SDK 7.0 U1, U2, U3
search cancel

Workaround instructions to address CVE-2021-44228 in vSphere ESX Agent Manager SDK 7.0 U1, U2, U3

book

Article ID: 315485

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

CVE-2021-44228 has been determined to impact vSphere ESX Agent Manager SDK part of vSphere Management SDK via the Apache Log4j open source component it ships. This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:



Symptoms:

 

     


    Resolution

    The workarounds described in this document are meant to be a temporary solution only. Upgrades documented in the aforementioned advisory should be applied to remediate CVE-2021-44228 when available.

    Workaround:

    To apply the workaround for CVE-2021-44228 to vSphere ESX Agent Manager SDK perform the following steps:

    1. Navigate to the folder where the eam-sample.war file is located within the desired SDK folder.  Typically the path will resemble /.../SDK/eam/.
    2. Back up the eam-sample.war
    cp eam-sample.war eam-sample.war.bak
    1. Execute the following command from the directory where eam-sample.war is located:
    unzip eam-sample.war -d /tmp/outputdir; \
zip -q -d /tmp/outputdir/WEB-INF/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class; \
jar cMf eam-sample.war -C /tmp/outputdir/ .

    Note: After you are done, delete the /tmp/outputdir/ directory.  We removed the "rm -rf" command from the end of the code block above to prevent any rm -rf mistakes.

    To verify the workaround for CVE-2021-44228 has been correctly applied to vSphere ESX Agent Manager SDK perform the following steps:

    1. Ensure that the /tmp/outputdir from the previous step is deleted
    2. Navigate to the folder where the eam-sample.war file is located within the desired SDK folder.  Typically the path will resemble /.../SDK/eam/.
    3. Run below command where eam-sample.war is located to check whether it lists if the vulnerable class is present in eam-sample.war
    unzip eam-sample.war -d /tmp/outputdir 2>&1 1>/dev/null; \
find /tmp/outputdir -type f -name "log4j-core-*.jar" -exec sh -c "zipinfo -1 {} | grep JndiLookup.class && echo {}" \;

    Note: successful output in the command prompt will look similar to the following:

    user@ubuntu:~/Documents/eam70u3/SDK/eam$ unzip eam-sample.war -d /tmp/outputdir 2>&1 1>/dev/null; \
> find /tmp/outputdir -type f -name "log4j-core-*.jar" -exec sh -c "zipinfo -1 {} | grep JndiLookup.class && echo {}" \;
user@ubuntu:~/Documents/eam70u3/SDK/eam$

    Note: a war file which did not have the workaround applied with have output similar to:

    user@ubuntu:~/Documents/eam70u3/SDK/eam$ unzip eam-sample.war.bak -d /tmp/outputdir 2>&1 1>/dev/null; \
> find /tmp/outputdir -type f -name "log4j-core-*.jar" -exec sh -c "zipinfo -1 {} | grep JndiLookup.class && echo {}" \;
org/apache/logging/log4j/core/lookup/JndiLookup.class
/tmp/outputdir/WEB-INF/lib/log4j-core-2.11.0.jar
user@ubuntu:~/Documents/eam70u3/SDK/eam$

    To revert the workaround for CVE-2021-44228 to vSphere ESX Agent Manager SDK perform the following steps:

    1. To revert the workaround, replace the modified eam-sample.war file with the backup created.
    cp eam-sample.war.bak eam-sample.war


    Additional Information

    Changelog:

    • December 20th 2021 - 15:41 MST:    Drafted initial document with initial workaround.


    Impact/Risks:
    No functionality impacts that may result from performing the workaround are expected.

    Powered by Wolken Software