Notice: On December 14, 2021 the Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 workarounds was not sufficient. We believe the instructions in this article to be an effective mitigation for CVE-2021-44228, but in the best interest of our customers we must assume this workaround may not adequately address all attack vectors. 
We expect to fully address both CVE-2021-44228 and CVE-2021-45046 by updating log4j to version 2.16 in forthcoming releases of VMware vRealize Network Insight, as outlined by our software support policies. VMSA-2021-0028 will be updated when these releases are available. In the interim, we will be updating this Knowledge Base article with revised guidance to remove all JndiLookup classes and disabling all lookups with JVM property settings “log4j2.formatMsgNoLookups=true” as per VMware Security Response Center guidance. Please subscribe to this article to be informed when updates are published.

CVE-2021-44228 can possibly impact vRNI installations via the usage of ElasticSearch which bundles the impacted log4j version (2.11).  This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:

• CVE-2021-44228 -VMSA-2021-0028
•  CVE-2021-45046  

Highlighted sections indicate the most recent updates. See the Change log at the end of this article for all changes and subscribe the article for updates.

VMware vRealize Network Insight 6.2.x
VMware vRealize Network Insight 6.4.0
VMware vRealize Network Insight 5.3.x

To mitigate the vulnerability for the vRealize Network Insight version  6.0.0 and 6.1.0 refer to workaround steps mentioned in VMware Knowledge base https://kb.vmware.com/s/article/87135

To mitigate the vulnerability below patches are available for vRealize Network Insight version 5.3.0,  6.2.0, 6.3.0, and 6.4.0 for now.

Patch Download Details:

Patch for vRealize Network Insight version 5.3.0
 

Patch Download/ Build Number	Download the Patch here  Build number: 1641915331
File Name	VMware-vRNI.5.3.0.P6.1641915331.patch.bundle
Size	654.4 MB
MD5SUM	C1054887621BC08F714742634FE583CF
SHA1SUM	53D9FC025035BBE02A57E06FF2751B066A15171C
SHA256SUM	4E82D2C388FEA94E421EF08EF45316B4DFEA76C9E98CEED1A31F5D403DBC8E3D

Patch for vRealize Network Insight version 6.2.0
 

Patch Download/ Build Number	Download the Patch here Build number: 1640222489
File Name	VMware-vRNI.6.2.0.P6.1640222489.patch.bundle
Size	648 MB
MD5SUM	B50AF9DA362558D58B62976E1C7BCD83
SHA1SUM	02575BB132E360A7B324C8319867053803DEE69F
SHA256SUM	4C25FD253C5DCC5C1D5F3052F26444C93FBC22DD7347954D29BBA7AC89F226B4

Patch for vRealize Network Insight version 6.3.0
 

Patch Download/ Build Number	Download the Patch here  build number: 1643900409
File Name	VMware-vRNI.6.3.0.P2.1643900409.patch.bundle
Size	668.9 MB
MD5SUM	CEE52B1E10CFF60690D3462A2CC401AE
SHA1SUM	CEE52B1E10CFF60690D3462A2CC401AE
SHA256SUM	26FBB74593D51DDBAA9E669060D91338DE1C8398

Patch for vRealize Network Insight version 6.4.0
 

Patch Download/ Build Number	Download the Patch here Build number: 1640171691
File Name	VMware-vRNI.6.4.0.P5.1640171691.patch.bundle
Size	728 MB
MD5SUM	0FCF6294B7F0D6D27A91E918F78B5CF0
SHA1SUM	5C040C99A743A39192BD1506B75E2AE7C4917E7F
SHA256SUM	776FC50506D5AE38DDDF7565A2FE5E5DD2AF236AAACF39E2C64EA2F509075243

Note: Above patches are cumulative of any previous patches for the same version

Procedure to apply vRealize Network Insight patch bundle:

1. Download the update patch file and save the file on your local system.
2. Log into the vRealize Network Insight GUI as an Administrator user.

        Note: The default admin@local account can be used.
     
       3. Navigate to Settings > Install and Support > Overview and Updates, then under Product, select Click here. 
       4. Click Browse to select the locally downloaded patch file and click Upload.
     
        Notes:

• When the upload is complete, vRealize Network Insight shows the Bundle Upload Complete message notification within 2-3 minutes and the bundle processing happens in the background.
• Until the upload of the package happens, ensure that the session is not closed. If the session ends, you have to restart the upload process.
• Do not refresh the page after bundle upload, until you see the Update Available message notification.

       5. In the Bundle Available message notification, click View details.
            
            vRealize Network Insight Update screen appears.
         

6. Read the Before you proceed instruction and click Continue.
7. Wait for the pre-checks to complete, which verifies:

• the disk space, including the space required for migration
• the version
• the NTP sync status
• the bundle checksum

8. Click Install Now.

You can see the approximate time required to complete the update process on your setup.

9. Once the update process begins, the vRealize Network Insight Update screen provides the status of the update process.

Notes:

• If a node becomes inactive, the update process does not continue. The update will not resume until the node becomes active again.
• Once the platforms are updated, you can resume your normal vRealize Network Insight operations even though the collector update happens in parallel. Until the update process is completely over, the Node Version Mismatch detected the message is shown in the Install and Support page.

10. Upon the completion of the update process, you see the below confirmation message.

          All platform and the collector nodes are updated.

Change Log:
January 5th, 2022 - 06:30 EST:  Drafted initial document with patches for vRNI 6.2.0 and 6.4.0
January 12th, 2022 - 09:00 EST:  Updated Resolution section  with patches for vRNI 5.3.0
February 15th, 2022 - 03:45 EST:  Updated Resolution section  with patches for vRNI 6.3.0