• CVE-2021-44228 - VMSA-2021-0028

On December 14, 2021 the Apache Software Foundation notified the community  that their initial guidance for CVE-2021-44228 workarounds was not sufficient. We believe the instructions in this article to be an effective mitigation for CVE-2021-44228, but in the best interest of our customers we must assume this workaround may not adequately address all attack vectors. 

We expect to fully address CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 by updating log4j to version 2.17 in forthcoming releases of “VMware Smart Assurance M&R”, as outlined by our software support policies. VMSA-2021-0028  will be updated when these releases are available. In the interim, we have updated this Knowledge Base article with revised guidance to remove all JndiLookup classes per Apache Software Foundation guidance. Please subscribe to this article to be informed when updates are published.

Information about mitigation for M&R Releases:

• VMware Smart Assurance M&R 10.1.7-7.3.0.5 has been released with log4j-core component upgraded to version 2.17.0.

Refer: VMware Smart Assurance 10.1.7 Release notes for more details

Following patches have been released under VMware Smart Assurance M&R

• A patch for M&R 9.6-6.8u5 (build 72118) has been released under VMware Smart Assurance M&R 10.1.0.16. The following services have upgraded the log4j-core component to version 2.17.0.

• M&R Elasticsearch

Refer: VMware Smart Assurance 10.1.0.16 Patch Release notes for more details

• A patch for M&R 10.1.2-7.0u8 has been released under VMware Smart Assurance M&R 10.1.2.16. The following services have upgraded the log4j-core component to version 2.17.0.

• M&R Elasticsearch

Refer: VMware Smart Assurance 10.1.2.16 Patch Release notes for more details

• A patch for M&R 10.1.5-7.2 has been released under VMware Smart Assurance M&R 10.1.5.5. The following services have upgraded the log4j-core component to version 2.17.0.

• M&R Elasticsearch
• Centralized-Management
• Tomcat webapps: admin, alerting-frontend, APG, APG-REST, centralized-management, device-discovery, SSO etc.

Refer: VMware Smart Assurance 10.1.5.5 Patch Release notes for more details

The patch releases 10.1.0.16, 10.1.2.16, 10.1.5.5 and the latest VMware Smart Assurance M&R 10.1.7-7.3.0.5 release, include the upgraded log4j 2.17.0 which addresses the following vulnerabilities:

•  CVE-2021-44228 - Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints
•  CVE-2021-45046 - Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations
•  CVE-2021-45105 - Avoid the uncontrolled recursion from self-referential Context lookups.

To apply the workaround for CVE-2021-44228 to VSA M&R 9.6-6.8u5, 10.1.2-7.0u8, 10.1.5-7.2.0.1  there are workaround sections to update on the VSA M&R.

Workaround for VSA M&R 9.6-6.8u5 and M&R 10.1.2-7.0u8

• Goto <Install Dir>/Databases/Elasticsearch/Default/lib and execute the below grep command to confirm the presence of JndiLookup.class within the file “log4j-core-2.7.jar”. The output with keyword “matches” confirms the presence of JndiLookup.class entry

• Execute the below command to remove the class JndiLookup.class from the “log4j-core-2.7.jar” file.

• Update the Elasticsearch Service: 

• Start the Elasticsearch Service:

Workaround for VSA M&R 10.1.5-7.2.0.1

1. Tomcat :

• Edit <Install Dir>/Web-Servers/Tomcat/Default/conf/unix-service.properties and find the section below:

#===================================================
Additional Java Parameters, starting from index 1
#===================================================
jvm.param.1=-Djava.awt.headless=true
jvm.param.2=-Dcatalina.base="$MODULE_HOME$"
jvm.param.3=-Dcatalina.home="$MODULE_HOME$"
jvm.param.4=-Djava.endorsed.dirs="$MODULE_HOME$"/endorsed
jvm.param.5=-Djava.io.tmpdir="$MODULE_HOME$"/temp
jvm.param.6=-Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Jdk14Logger
jvm.param.7=-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
jvm.param.8=-Djava.util.logging.config.file="$MODULE_HOME$"/conf/logging.properties
jvm.param.9=-Djavax.servlet.request.encoding=UTF-8
jvm.param.10=-Dfile.encoding=UTF-8
jvm.param.11=-Djavax.sql.DataSource.Factory=com.watch4net.apg.v2.gui.tomcat.W4NDataSourceFactory

• Add the line at the end of this section

            jvm.param.<num>=-Dlog4j2.formatMsgNoLookups=true
            Where <num> is the next index number in numerical order.

For example:

jvm.param.10=-Dfile.encoding=UTF-8
jvm.param.11=-Djavax.sql.DataSource.Factory=com.watch4net.apg.v2.gui.tomcat.W4NDataSourceFactory
jvm.param.12=-Dlog4j2.formatMsgNoLookups=true
 

• Execute below 2 steps for all the folders obtained by running below command from /opt/APG (<Install Dir> if any changes to install location)

./Web-Servers/Tomcat/Default/webapps/SSO/WEB-INF/lib/log4j-core-2.12.1.jar
./Web-Servers/Tomcat/Default/webapps/admin/WEB-INF/lib/log4j-core-2.12.1.jar
./Web-Servers/Tomcat/Default/webapps/alerting-frontend/WEB-INF/lib/log4j- core-2.12.1.jar
./Web-Servers/Tomcat/Default/webapps/centralized-management/WEB-INF/lib/log4j-core-2.12.1.jar
./Web-Servers/Tomcat/Default/webapps/device-discovery/WEB-INF/lib/log4j-core-2.12.1.jar
./Web-Servers/Tomcat/Default/webapps/APG/WEB-INF/lib/log4j-core-2.12.1.jar
./Web-Servers/Tomcat/Default/webapps/APG-REST/WEB-INF/lib/log4j-core-2.12.1.jar

• Update tomcat service:

• Start the tomcat service:

2. Elasticsearch :

• Goto <Install Dir>/Databases/Elasticsearch/Default/lib and execute the below grep command to confirm the presence of JndiLookup.class within the file “log4j-core-2.7.jar”. The output with keyword “matches” confirms the presence of JndiLookup.class entry.

• Execute the below command to remove the class JndiLookup.class from the “log4j-core-2.7.jar” file.

• Update Elasticsearch service:

Note for Windows deployment

Change Log: 

• 16-December-2021 : Created KB article to remediate log4j vulnerability (CVE : CVE-2021-44228) for VMware Smart Assurance M&R 9.6-6.8u5, 10.1.2-7.0u8, 10.1.5-7.2 , The remediation is to set the system property present at all the log4j-core.jar files.
• 17-December-2021 : Added additional step to update the service before restarting the elastic search servic.
• 17-December-2021 : Added steps to remove "jndiLookup.class" on "log4j-core*" present under the Centralized-Management web application module.
• 20-December-2021 : Updated Workaround section.
• 21-December-2021 : Added note for windows deployment
• 06-January-2022  : Updated Resolution to include information regarding upgrade version.
• 28-January-2022 : Updated Resolution Section to include the release of VSA SAM 10.1.5.5 and information about automated script for M&R 7.2.0.1
• 15-February-2022 : Updated Resolution Section to include the release of VSA SAM 10.1.2.16
• 24-February-2022 : Updated Resolution Section to include the release of VSA SAM 10.1.0.16
• 8-March-2022 : Updated Resolution Section to include the release of VSA 10.1.7-7.3.0.5