CVE-2021-44228 and CVE-2021-45046 have been determined to impact vRealize Operations Cloud via the Apache Log4j open source component it ships.  This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:

• CVE-2021-44228 - VMSA-2021-0028

TVS Management Packs Affected:

• TVS MP for Apache Tomcat
• TVS MP for Citrix ADC
• vROps MP for Dell EMC Isilon (formerly TVS MP for Dell EMC Isilon)
• vROps MP for Dell EMC Powermax-VMax (formerly TVS MP for Dell EMC Powermax-VMax)
• vROps MP for Dell EMC Xtremio (formerly TVS MP for Dell EMC Xtremio)
• TVS MP for F5 Big-IP
• vROps MP for HPE 3Par StoreServ (formerly TVS MP for HPE 3Par StoreServ)
• vROps MP for HPE Nimble, formerly TVS MP for HPE Nimble
• vROps MP for HPE Proliant (formerly TVS MP for HPE Proliant)
• vROps MP for Netapp E-Series (formerly TVS MP for Netapp E-Series)
• TVS MP for Nutanix 
• TVS MP for Redhat JBOSS EAP
• TVS MP for SAP 
• TVS MP for Meditech

Note: Both on-prem and cloud deployments are affected.

vRealize Operations Cloud Deployments:

VMware vRealize Management Pack for HPE 3PAR StoreServ
VMware vRealize Management Pack for NetApp E-Series
VMware vRealize True Visibility Suite 1.0
VMware vRealize Management Pack for Dell EMC PowerMax & VMAX

1. Follow the resolution steps in KB 87076 for vRealize Operations
2. Upgrade any installed affected management packs to a fixed version. See the list of fixed management pack versions below, with a link to download it from VMware Downloads.

• TVS MP for Apache Tomcat 8.0.2
• TVS MP for Citrix ADC 8.0.1
• vROps MP for Dell EMC Isilon (formerly TVS MP for Dell EMC Isilon) 4.0.1
• vROps MP for Dell EMC Powermax-VMax (formerly TVS MP for Dell EMC Powermax-VMax) 5.0.1
• vROps MP for Dell EMC Xtremio (formerly TVS MP for Dell EMC Xtremio) 4.0.1
• TVS MP for F5 Big-IP 8.0.1
• vROps MP for HPE Nimble (formerly TVS MP for HPE Nimble) 4.0.1
• vROps MP for HPE Proliant (formerly TVS MP for HPE Proliant) 5.0.1
• vROps MP for Netapp E-Series (formerly TVS MP for Netapp E-Series) 5.0.1
• TVS MP for Nutanix 8.0.1
• TVS MP for Redhat JBOSS EAP 8.0.2
• TVS MP for SAP 8.0.1
• TVS MP for Meditech 3.0.1

The workarounds described in this document are meant to be a temporary solution only.

Upgrades documented in VMSA-2021-0028 should be applied to remediate CVE-2021-44228 and CVE-2021-45046 when available.

Workaround:
The workaround for CVE-2021-44228 and CVE-2021-45046 to vRealize Operations will mitigate the vulnerability to all affected TVS Managements Packs. That workaround for vRealize Operations can be found at the following links using the correct type of deployment (on-prem or cloud).

• on-prem: https://kb.vmware.com/s/article/87076
• cloud:  https://kb.vmware.com/s/article/87080

Note: These workaround steps should be applied for any vRealize Operations deployment, regardless of which management packs are installed.

To revert the workaround for CVE-2021-44228 and CVE-2021-45046 to vRealize Operations perform the following steps:
vRealize Operations On-Prem Deployment

• Revert to the snapshot taken of each node prior to implementing the workaround.

vRealize Operations Cloud Deployment 

• Revert to the snapshot taken of each Cloud Proxy prior to implementing the workaround.

Change Log:

• December 15th 2021 - 10:52 AM EST: Initial draft
• December 17th 2021 - 2:45 PM EST: Added references to "CVE-2021-45046".
• January 4th 2022 - 9:26 AM EST: Added resolution steps.

Impact/Risks:
It is highly recommended to take snapshots of the vRealize Operations Cloud Proxies following How to take a Snapshot of vRealize Operations.
Note: These snapshots are required if you should have to revert the workaround for any reason.