CVE-2021-44228 has been determined to impact VSA M&R 9.6-6.8u5, 10.1.2-7.0u8, 10.1.5-7.2 via the Apache Log4j open source component it ships along with elastic search module. This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:
On December 14, 2021 the Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 workarounds was not sufficient. We believe the instructions in this article to be an effective mitigation for CVE-2021-44228, but in the best interest of our customers we must assume this workaround may not adequately address all attack vectors.
We expect to fully address CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 by updating log4j to version 2.17 in forthcoming releases of “VMware Smart Assurance M&R”, as outlined by our software support policies. VMSA-2021-0028 will be updated when these releases are available. In the interim, we have updated this Knowledge Base article with revised guidance to remove all JndiLookup classes per Apache Software Foundation guidance. Please subscribe to this article to be informed when updates are published.
Watch4Net/M&R - 9.6-6.8u5, 10.1.2-7.0u8, 10.1.5-7.2
VMware Smart Assurance M&R 10.1.7-7.3.0.5 has been released with log4j-core component upgraded to version 2.17.0.
Refer: VMware Smart Assurance 10.1.7 Release notes for more details
A patch for M&R 9.6-6.8u5 (build 72118) has been released under VMware Smart Assurance M&R 10.1.0.16. The following services have upgraded the log4j-core component to version 2.17.0.
• M&R Elasticsearch
Refer: VMware Smart Assurance 10.1.0.16 Patch Release notes for more details
A patch for M&R 10.1.2-7.0u8 has been released under VMware Smart Assurance M&R 10.1.2.16. The following services have upgraded the log4j-core component to version 2.17.0.
• M&R Elasticsearch
Refer: VMware Smart Assurance 10.1.2.16 Patch Release notes for more details
• M&R Elasticsearch
• Centralized-Management
• Tomcat webapps: admin, alerting-frontend, APG, APG-REST, centralized-management, device-discovery, SSO etc.
Refer: VMware Smart Assurance 10.1.5.5 Patch Release notes for more details
The patch releases 10.1.0.16, 10.1.2.16, 10.1.5.5 and the latest VMware Smart Assurance M&R 10.1.7-7.3.0.5 release, include the upgraded log4j 2.17.0 which addresses the following vulnerabilities:
• CVE-2021-44228 - Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints
• CVE-2021-45046 - Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations
• CVE-2021-45105 - Avoid the uncontrolled recursion from self-referential Context lookups.
To apply the workaround for CVE-2021-44228 to VSA M&R 9.6-6.8u5, 10.1.2-7.0u8, 10.1.5-7.2.0.1 there are workaround sections to update on the VSA M&R.
#===================================================
Additional Java Parameters, starting from index 1
#===================================================
jvm.param.1=-Djava.awt.headless=true
jvm.param.2=-Dcatalina.base="$MODULE_HOME$"
jvm.param.3=-Dcatalina.home="$MODULE_HOME$"
jvm.param.4=-Djava.endorsed.dirs="$MODULE_HOME$"/endorsed
jvm.param.5=-Djava.io.tmpdir="$MODULE_HOME$"/temp
jvm.param.6=-Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Jdk14Logger
jvm.param.7=-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
jvm.param.8=-Djava.util.logging.config.file="$MODULE_HOME$"/conf/logging.properties
jvm.param.9=-Djavax.servlet.request.encoding=UTF-8
jvm.param.10=-Dfile.encoding=UTF-8
jvm.param.11=-Djavax.sql.DataSource.Factory=com.watch4net.apg.v2.gui.tomcat.W4NDataSourceFactory
jvm.param.<num>=-Dlog4j2.formatMsgNoLookups=true
Where <num> is the next index number in numerical order.
For example:
jvm.param.10=-Dfile.encoding=UTF-8
jvm.param.11=-Djavax.sql.DataSource.Factory=com.watch4net.apg.v2.gui.tomcat.W4NDataSourceFactory
jvm.param.12=-Dlog4j2.formatMsgNoLookups=true
./Web-Servers/Tomcat/Default/webapps/SSO/WEB-INF/lib/log4j-core-2.12.1.jar
./Web-Servers/Tomcat/Default/webapps/admin/WEB-INF/lib/log4j-core-2.12.1.jar
./Web-Servers/Tomcat/Default/webapps/alerting-frontend/WEB-INF/lib/log4j- core-2.12.1.jar
./Web-Servers/Tomcat/Default/webapps/centralized-management/WEB-INF/lib/log4j-core-2.12.1.jar
./Web-Servers/Tomcat/Default/webapps/device-discovery/WEB-INF/lib/log4j-core-2.12.1.jar
./Web-Servers/Tomcat/Default/webapps/APG/WEB-INF/lib/log4j-core-2.12.1.jar
./Web-Servers/Tomcat/Default/webapps/APG-REST/WEB-INF/lib/log4j-core-2.12.1.jar
Goto each folder from above list (For Example : /opt/APG/Web-Servers/Tomcat/Default/webapps/APG/WEB-INF/lib) and execute the below grep command to confirm the presence of JndiLookup.class within the file “log4j-core-2.12.1.jar”. The output with keyword “matches” confirms the presence of JndiLookup.class entry.
Execute the below command to remove the class JndiLookup.class from the “log4j-core-2.12.1.jar” file.
Change Log: