Patches to address CVE-2021-44228/CVE-2021-45046 in vRNI On-Prem installations
search cancel

Patches to address CVE-2021-44228/CVE-2021-45046 in vRNI On-Prem installations

book

Article ID: 324464

calendar_today

Updated On:

Products

VMware Aria Operations for Networks

Issue/Introduction

Notice: On December 14, 2021 the Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 workarounds was not sufficient. We believe the instructions in this article to be an effective mitigation for CVE-2021-44228, but in the best interest of our customers we must assume this workaround may not adequately address all attack vectors. 
We expect to fully address both CVE-2021-44228 and CVE-2021-45046 by updating
 log4j to version 2.16 in forthcoming releases of VMware vRealize Network Insight, as outlined by our software support policies. VMSA-2021-0028 will be updated when these releases are available. In the interim, we will be updating this Knowledge Base article with revised guidance to remove all JndiLookup classes and disabling all lookups with JVM property settings “log4j2.formatMsgNoLookups=true” as per VMware Security Response Center guidance. Please subscribe to this article to be informed when updates are published.

CVE-2021-44228 can possibly impact vRNI installations via the usage of ElasticSearch which bundles the impacted log4j version (2.11).  This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:


Highlighted sections indicate the most recent updates. See the Change log at the end of this article for all changes and subscribe the article for updates.

Environment

VMware vRealize Network Insight 6.2.x
VMware vRealize Network Insight 6.4.0
VMware vRealize Network Insight 5.3.x

Resolution

To mitigate the vulnerability for the vRealize Network Insight version  6.0.0 and 6.1.0 refer to workaround steps mentioned in VMware Knowledge base https://kb.vmware.com/s/article/87135

To mitigate the vulnerability below patches are available for vRealize Network Insight version 5.3.0,  6.2.0, 6.3.0, and 6.4.0 for now.

Patch Download Details:

Patch for vRealize Network Insight version 5.3.0

 
Patch Download/ Build Number   Download the Patch here  Build number: 1641915331
File Name VMware-vRNI.5.3.0.P6.1641915331.patch.bundle
Size   654.4 MB
MD5SUMC1054887621BC08F714742634FE583CF
SHA1SUM53D9FC025035BBE02A57E06FF2751B066A15171C
SHA256SUM4E82D2C388FEA94E421EF08EF45316B4DFEA76C9E98CEED1A31F5D403DBC8E3D


Patch for vRealize Network Insight version 6.2.0
 
Patch Download/ Build Number   Download the Patch here Build number: 1640222489
File Name   VMware-vRNI.6.2.0.P6.1640222489.patch.bundle
Size   648 MB
MD5SUM B50AF9DA362558D58B62976E1C7BCD83
SHA1SUM 02575BB132E360A7B324C8319867053803DEE69F
SHA256SUM 4C25FD253C5DCC5C1D5F3052F26444C93FBC22DD7347954D29BBA7AC89F226B4


Patch for vRealize Network Insight version 6.3.0
 
Patch Download/ Build Number Download the Patch here  build number: 1643900409
File Name VMware-vRNI.6.3.0.P2.1643900409.patch.bundle
Size  668.9 MB
MD5SUMCEE52B1E10CFF60690D3462A2CC401AE
SHA1SUMCEE52B1E10CFF60690D3462A2CC401AE
SHA256SUM26FBB74593D51DDBAA9E669060D91338DE1C8398


Patch for vRealize Network Insight version 6.4.0
 
Patch Download/ Build Number   Download the Patch here Build number: 1640171691
File Name VMware-vRNI.6.4.0.P5.1640171691.patch.bundle
Size   728 MB
MD5SUM 0FCF6294B7F0D6D27A91E918F78B5CF0
SHA1SUM 5C040C99A743A39192BD1506B75E2AE7C4917E7F
SHA256SUM 776FC50506D5AE38DDDF7565A2FE5E5DD2AF236AAACF39E2C64EA2F509075243

Note: Above patches are cumulative of any previous patches for the same version

Procedure to apply vRealize Network Insight patch bundle:
  1. Download the update patch file and save the file on your local system.
  2. Log into the vRealize Network Insight GUI as an Administrator user.
        Note: The default admin@local account can be used.
     
       3. Navigate to Settings > Install and Support > Overview and Updates, then under Product, select Click here
       4. Click Browse to select the locally downloaded patch file and click Upload.
     
        Notes:
  • When the upload is complete, vRealize Network Insight shows the Bundle Upload Complete message notification within 2-3 minutes and the bundle processing happens in the background.
  • Until the upload of the package happens, ensure that the session is not closed. If the session ends, you have to restart the upload process.
  • Do not refresh the page after bundle upload, until you see the Update Available message notification.
       5. In the Bundle Available message notification, click View details.
            
            
vRealize Network Insight Update screen appears.
         
  1. Read the Before you proceed instruction and click Continue.
  2. Wait for the pre-checks to complete, which verifies:
  • the disk space, including the space required for migration
  • the version
  • the NTP sync status
  • the bundle checksum
  1. Click Install Now.
You can see the approximate time required to complete the update process on your setup.
  1. Once the update process begins, the vRealize Network Insight Update screen provides the status of the update process.
Notes:
  • If a node becomes inactive, the update process does not continue. The update will not resume until the node becomes active again.
  • Once the platforms are updated, you can resume your normal vRealize Network Insight operations even though the collector update happens in parallel. Until the update process is completely over, the Node Version Mismatch detected the message is shown in the Install and Support page.
  1. Upon the completion of the update process, you see the below confirmation message.
          All platform and the collector nodes are updated.


Additional Information

Change Log:
January 5th, 2022 - 06:30 EST:  Drafted initial document with patches for vRNI 6.2.0 and 6.4.0
January 12th, 2022 - 09:00 EST:  Updated Resolution section  with patches for vRNI 5.3.0
February 15th, 2022 - 03:45 EST:  Updated Resolution section  with patches for vRNI 6.3.0