Workaround instructions to address CVE-2021-44228 in Cloud Director Object Storage Extension
search cancel

Workaround instructions to address CVE-2021-44228 in Cloud Director Object Storage Extension

book

Article ID: 319848

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

CVE-2021-44228 has been determined to impact VMware Cloud Director Object Storage Extension via the Apache Log4j open source component it ships.  This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:



Environment

VMware Cloud Director 10.x

Resolution

The workarounds described in this document are meant to be a temporary solution only. 
Upgrades are already available to remediate CVE-2021-44228. 

Workaround:
1. Login as ssh user, sudo to root
2. Edit file /usr/lib/systemd/system/voss-vip.service
3. In the line starting with text ExecStart, insert parameter -Dlog4j2.formatMsgNoLookups=true between java and -Xms1024m. The updated line is like this:
      ExecStart=/bin/sh -c 'java -Dlog4j2.formatMsgNoLookups=true -Xms1024m -Xmx1024m -jar /opt/vmware/vip/voss-vip.jar \
                      --server.scheme=http \
                      --server.address=127.0.0.1 \
                      --swagger-ui.enable=false \
                      --source.cache.flag=false \
                      --vipservice.cross.domain.enable=false \
                      --vipservice.cross.domain.allowCredentials=false \
                      -clean '

4. Run systemctl daemon-reload
5. Run systemctl restart voss-vip
6. Run systemctl status voss-vip. Check the parameter is inserted successfully from the output.
        Main PID: pid (java)
           CGroup: /system.slice/voss-vip.service
                   └─pid java -Dlog4j2.formatMsgNoLookups=true -Xms1024m -Xmx1024m -jar /opt/vmware/vip/voss-vip.jar --server.scheme=http --server.address=127.0.0....



Additional Information

Impact/Risks:

Object Storage Extension service itself is not impacted by this vulnerability directly, but it has an internal component depending on log4j.

The work arounds described in this document are applicable to the following versions: 

  • VMware Cloud Director Object Storage Extension 1.X 

  • VMware Cloud Director Object Storage Extension 2.X