• CVE-2021-44228 - VMSA-2021-0028

Notice: On December 14, 2021 the Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 workarounds was not sufficient. We believe the instructions in this article to be an effective mitigation for CVE-2021-44228, but in the best interest of our customers we must assume this workaround may not adequately address all attack vectors. We expect to fully address CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 by updating log4j to version 2.17 in forthcoming releases of “VMware Smart Assurance SAM [Service Assurance Manager]”, as outlined by our software support policies. VMSA-2021-0028 will be updated when these releases are available. In the interim, we have updated this Knowledge Base article with revised guidance to remove all JndiLookup classes per Apache Software Foundation guidance. 

Please subscribe to this article to be informed when updates are published.

The workaround described in this article is meant to be a temporary solution only. Upgrades documented in the aforementioned advisory should be applied to remediate CVE-2021-44228 when available.

Information about mitigation for VMware Smart Assurance SAM:

• VMware Smart Assurance Service Assurance Manager version 10.1.7 has upgraded the log4j-core component to version 2.17.

• Following patches have been released under VMware Smart Assurance Service Assurance Manager(SAM).The following services have upgraded the log4j-core component to version 2.17.

•    Smarts ElasticSearch 

VMware Smart Assurance Service Assurance Manager(SAM) 10.1.0.16

Refer: VMware Smart Assurance 10.1.0.16 Patch Release notes for more details

VMware Smart Assurance Service Assurance Manager(SAM) 10.1.2.16

Refer: VMware Smart Assurance 10.1.2.16 Patch Release notes for more details

VMware Smart Assurance Service Assurance Manager(SAM) 10.1.5.5

Refer: VMware Smart Assurance 10.1.5.5 Patch Release notes for more details

• The following releases for SAM 10.1.0.16, 10.1.2.16, 10.1.5.5 and the latest release VMware Smart Assurance 10.1.7 include the upgraded log4j 2.17 which addresses the following vulnerabilities:

•  CVE-2021-44228 - Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints
•  CVE-2021-45046 - Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations
•  CVE-2021-45105 - Avoid the uncontrolled recursion from self-referential Context lookups.
•  CVE-2021-4104 - JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker's JNDI LDAP endpoint.

Regarding the CVE-2021-44832 which reported following vulnerabilities:
•    Removal of LDAP protocol while making JNDI connections.
Note that VMware Smart Assurance SAM (Service Assurance Manager), does not make any JNDI connection as the complete JNDI lookup class has been removed in 2.17.
Hence the same remain unexploited with no exposure on Smarts.

3. Execute the below command to remove the class JndiLookup.class from the “log4j-core-2.11.1.jar” file.
     zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

4. Restart elastic search service.

Change Log:

• 14-December-2021 : Created KB article to remediate log4j vulnerability (CVE : CVE-2021-44228) for VSA SAM 10.1.2, SAM 10.1.5. The remediation is to set the following flag "-Dlog4j2.formatMsgNoLookups=true" to BASEDIR/Smarts/toolbox/elasticsearch/config/jvm.options file.
• 15-December-2021 : Added steps to remove "JndiLookup.class" from the log4j-core-2.11.1.jar that is part of Elastic Search module.
• 15-December-2021 : Appended Smarts 10.1.0.X to affected versions, as the patch releases from Smarts 10.1.0.1 had updated the elastic version from 2.4.1 to 7.3.1 which include the log4j-core* jar
• 24-January-2022  :  Appended Resolution section to provide clarification that next release of Smarts will have the upgrade of log4j to version 2.17
• 28-January-2022 : Information added to the Resolution section section for Smarts patch release 10.1.5.5 which will include the fix with upgraded log4j  version 2.17
• 15-February-2022 : Information added to the Resolution section section for Smarts patch release 10.1.2.16 which will include the fix with upgraded log4j  version 2.17
• 24-February-2022 : Information added to the Resolution section section for Smarts patch release 10.1.0.16 which will include the fix with upgraded log4j  version 2.17
• 28-February-2022 : Information added to the Resolution section section for Smarts release 10.1.7 which will include the fix with upgraded log4j  version 2.17