Workaround instructions to address CVE-2021-44228 vulnerability
search cancel

Workaround instructions to address CVE-2021-44228 vulnerability

book

Article ID: 323813

calendar_today

Updated On:

Products

VMware Smart Assurance

Issue/Introduction

CVE-2021-44228 has been determined to impact VSA M&R 9.6-6.8u5, 10.1.2-7.0u8, 10.1.5-7.2 via the Apache Log4j open source component it ships along with elastic search module.  This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:



Symptoms:

On December 14, 2021 the Apache Software Foundation notified the community  that their initial guidance for CVE-2021-44228 workarounds was not sufficient. We believe the instructions in this article to be an effective mitigation for CVE-2021-44228, but in the best interest of our customers we must assume this workaround may not adequately address all attack vectors. 

We expect to fully address CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 by updating log4j to version 2.17 in forthcoming releases of “VMware Smart Assurance M&R”, as outlined by our software support policies. VMSA-2021-0028  will be updated when these releases are available. In the interim, we have updated this Knowledge Base article with revised guidance to remove all JndiLookup classes per Apache Software Foundation guidance. Please subscribe to this article to be informed when updates are published.

 

Environment

Watch4Net/M&R - 9.6-6.8u5, 10.1.2-7.0u8, 10.1.5-7.2

Resolution

The workarounds described in this document are meant to be a temporary solution only.
Upgrades documented in the aforementioned advisory should be applied to remediate CVE-2021-44228 when available.

Information about mitigation for M&R Releases:

  • VMware Smart Assurance M&R 10.1.7-7.3.0.5 has been released with log4j-core component upgraded to version 2.17.0.

Refer: VMware Smart Assurance 10.1.7 Release notes for more details

Following patches have been released under VMware Smart Assurance M&R

  • A patch for M&R 9.6-6.8u5 (build 72118) has been released under VMware Smart Assurance M&R 10.1.0.16. The following services have upgraded the log4j-core component to version 2.17.0.

• M&R Elasticsearch

Refer: VMware Smart Assurance 10.1.0.16 Patch Release notes for more details

  • A patch for M&R 10.1.2-7.0u8 has been released under VMware Smart Assurance M&R 10.1.2.16. The following services have upgraded the log4j-core component to version 2.17.0.

• M&R Elasticsearch

Refer: VMware Smart Assurance 10.1.2.16 Patch Release notes for more details

  • A patch for M&R 10.1.5-7.2 has been released under VMware Smart Assurance M&R 10.1.5.5. The following services have upgraded the log4j-core component to version 2.17.0.

• M&R Elasticsearch
• Centralized-Management
• Tomcat webapps: admin, alerting-frontend, APG, APG-REST, centralized-management, device-discovery, SSO etc.

Refer: VMware Smart Assurance 10.1.5.5 Patch Release notes for more details


The patch releases 10.1.0.16, 10.1.2.16, 10.1.5.5 and the latest VMware Smart Assurance M&R 10.1.7-7.3.0.5 release, include the upgraded log4j 2.17.0 which addresses the following vulnerabilities:

•  CVE-2021-44228 - Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints
•  CVE-2021-45046 - Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations
•  CVE-2021-45105 - Avoid the uncontrolled recursion from self-referential Context lookups.


Workaround:

To apply the workaround for CVE-2021-44228 to VSA M&R 9.6-6.8u5, 10.1.2-7.0u8, 10.1.5-7.2.0.1  there are workaround sections to update on the VSA M&R.

Workaround for VSA M&R 9.6-6.8u5 and M&R 10.1.2-7.0u8

  • Goto <Install Dir>/Databases/Elasticsearch/Default/lib and execute the below grep command to confirm the presence of JndiLookup.class within the file “log4j-core-2.7.jar”. The output with keyword “matches” confirms the presence of JndiLookup.class entry
grep "JndiLookup.class" log4j-core-2.7.jar
Binary file log4j-core-2.7.jar matches
  • Execute the below command to remove the class JndiLookup.class from the “log4j-core-2.7.jar” file.
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
 
  • Update the Elasticsearch Service: 
                     <Install Dir>/bin/manage-modules.sh service update elasticsearch Default
  • Start the Elasticsearch Service:
                     <Install Dir>/bin/manage-modules.sh service start elasticsearch Default
 

Workaround for VSA M&R 10.1.5-7.2.0.1

1. Tomcat :

  • Edit <Install Dir>/Web-Servers/Tomcat/Default/conf/unix-service.properties and find the section below:

#===================================================
Additional Java Parameters, starting from index 1
#===================================================
jvm.param.1=-Djava.awt.headless=true
jvm.param.2=-Dcatalina.base="$MODULE_HOME$"
jvm.param.3=-Dcatalina.home="$MODULE_HOME$"
jvm.param.4=-Djava.endorsed.dirs="$MODULE_HOME$"/endorsed
jvm.param.5=-Djava.io.tmpdir="$MODULE_HOME$"/temp
jvm.param.6=-Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Jdk14Logger
jvm.param.7=-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
jvm.param.8=-Djava.util.logging.config.file="$MODULE_HOME$"/conf/logging.properties
jvm.param.9=-Djavax.servlet.request.encoding=UTF-8
jvm.param.10=-Dfile.encoding=UTF-8
jvm.param.11=-Djavax.sql.DataSource.Factory=com.watch4net.apg.v2.gui.tomcat.W4NDataSourceFactory

  • Add the line at the end of this section

            jvm.param.<num>=-Dlog4j2.formatMsgNoLookups=true
            Where <num> is the next index number in numerical order.

For example:

jvm.param.10=-Dfile.encoding=UTF-8
jvm.param.11=-Djavax.sql.DataSource.Factory=com.watch4net.apg.v2.gui.tomcat.W4NDataSourceFactory
jvm.param.12=-Dlog4j2.formatMsgNoLookups=true

 

  • Execute below 2 steps for all the folders obtained by running below command from /opt/APG (<Install Dir> if any changes to install location)
find . -name "log4j-core*"

./Web-Servers/Tomcat/Default/webapps/SSO/WEB-INF/lib/log4j-core-2.12.1.jar
./Web-Servers/Tomcat/Default/webapps/admin/WEB-INF/lib/log4j-core-2.12.1.jar
./Web-Servers/Tomcat/Default/webapps/alerting-frontend/WEB-INF/lib/log4j- core-2.12.1.jar
./Web-Servers/Tomcat/Default/webapps/centralized-management/WEB-INF/lib/log4j-core-2.12.1.jar
./Web-Servers/Tomcat/Default/webapps/device-discovery/WEB-INF/lib/log4j-core-2.12.1.jar
./Web-Servers/Tomcat/Default/webapps/APG/WEB-INF/lib/log4j-core-2.12.1.jar
./Web-Servers/Tomcat/Default/webapps/APG-REST/WEB-INF/lib/log4j-core-2.12.1.jar

  • Goto each folder from above list (For Example : /opt/APG/Web-Servers/Tomcat/Default/webapps/APG/WEB-INF/lib) and execute the below grep command to confirm the presence of JndiLookup.class within the file “log4j-core-2.12.1.jar”. The output with keyword “matches” confirms the presence of JndiLookup.class entry. 

grep "JndiLookup.class" log4j-core-2.12.1.jar
Binary file log4j-core-2.12.1.jarmatches
  • Execute the below command to remove the class JndiLookup.class from the “log4j-core-2.12.1.jar” file.

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
 
  • Update tomcat service:
<Install Dir>/bin/manage-modules.sh service update tomcat Default
  • Start the tomcat service:
<Install Dir>/bin/manage-modules.sh service start tomcat Default
 

2. Elasticsearch :

  • Goto <Install Dir>/Databases/Elasticsearch/Default/lib and execute the below grep command to confirm the presence of JndiLookup.class within the file “log4j-core-2.7.jar”. The output with keyword “matches” confirms the presence of JndiLookup.class entry.
grep "JndiLookup.class" log4j-core-2.7.jar
Binary file log4j-core-2.7.jar matches
  • Execute the below command to remove the class JndiLookup.class from the “log4j-core-2.7.jar” file.
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
 
  • Update Elasticsearch service:
<Install Dir>/bin/manage-modules.sh service update elasticsearch Default
  • Start Elasticsearch service:
<Install Dir>/bin/manage-modules.sh service start elasticsearch Default
 

3. Centralized-Management web application:

  • Goto <Install Dir>/Web-Applications/Centralized-Management/centralized-management/lib/ and execute the below grep command to confirm the presence of JndiLookup.class within the file “log4j-core-2.12.1.jar”. The output with keyword “matches” confirms the presence of JndiLookup.class entry.
grep "JndiLookup.class" log4j-core-2.12.1.jar
Binary file log4j-core-2.12.1.jar matches
 
  • Execute the below command to remove the class JndiLookup.class from the “log4j-core-2.12.1.jar” file.
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
 
  • Update the Tomcat service:
<Install Dir>/bin/manage-modules.sh service update tomcat Default
  • Start Tomcat service:
<Install Dir>/bin/manage-modules.sh service start tomcat Default
  • Restart Webservice gateway:
<Install Dir>/bin/manage-modules.sh service restart webservice-gateway Default
 

Note for Windows deployment

Similar changes can be done in windows deployment by using 7z utility as shown in the example below.
7z d “<Install Dir>\APG\Web-Servers\Tomcat\Default\webapps\APG\WEB-INF\lib\log4j-core-2.12.1.jar” org\apache\logging\log4j\core\lookup\JndiLookup.class


Additional Information

Change Log: 

  • 16-December-2021 : Created KB article to remediate log4j vulnerability (CVE : CVE-2021-44228) for VMware Smart Assurance M&R 9.6-6.8u5, 10.1.2-7.0u8, 10.1.5-7.2 , The remediation is to set the system property present at all the log4j-core.jar files.
  • 17-December-2021 : Added additional step to update the service before restarting the elastic search servic.
  • 17-December-2021 : Added steps to remove "jndiLookup.class" on "log4j-core*" present under the Centralized-Management web application module.
  • 20-December-2021 : Updated Workaround section.
  • 21-December-2021 : Added note for windows deployment
  • 06-January-2022  : Updated Resolution to include information regarding upgrade version.
  • 28-January-2022 : Updated Resolution Section to include the release of VSA SAM 10.1.5.5 and information about automated script for M&R 7.2.0.1
  • 15-February-2022 : Updated Resolution Section to include the release of VSA SAM 10.1.2.16
  • 24-February-2022 : Updated Resolution Section to include the release of VSA SAM 10.1.0.16
  • 8-March-2022 : Updated Resolution Section to include the release of VSA 10.1.7-7.3.0.5


Impact/Risks:
An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.