CVE-2021-44228 has been determined to impact vRealize Operations Tenant App 2.5 via the Apache Log4j open source component it ships.  This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:

• CVE-2021-44228 - VMSA-2021-0028

Symptoms:
Notice: On December 14, 2021 the Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 workarounds was not sufficient. We believe the instructions in this article to be an effective mitigation for CVE-2021-44228, but in the best interest of our customers we must assume this workaround may not adequately address all attack vectors. 

We expect to fully address CVE-2021-44228 by updating Log4j to version 2.16 in forthcoming releases of vRealize Operations Tenant App, as outlined by our software support policies.  VMSA-2021-0028 will be updated when these releases are available. In the interim, we have updated this Knowledge Base article with revised guidance to remove all JndiLookup classes per Apache Software Foundation guidance.

vRealize Operations Tenant App has been found to not be affected by CVE-2021-45046.

Please subscribe to this article to be informed when updates are published.

The workarounds described in this document are meant to be a temporary solution only.
Upgrades documented in the aforementioned advisory should be applied to remediate CVE-2021-44228 when available.

Workaround:
To apply the workaround for CVE-2021-44228 to vRealize Operations Tenant App, perform the following steps:

Note: These steps will require use of a secondary Linux based machine with JDK 8u221 or later installed to patch the Tenant App JAR file.

1. Log into the Tenant App machine as root via SSH or Console, pressing ALT+F1 in a Console to log in.
2. Run the following command:

3. Run the following command to copy the tenant-app-api.jar file from the container to Tenant App machine:

4. Run the following command to create a backup of the existing tenant-app-api.jar file:

5. Log on to the secondary Linux based machine with JDK 8u221 or later installed.
6. On the secondary Linux based machine, run the following command to make a temporary directory:

7. Download the log4j-vulnerability-mitigation.sh script attached to this article and place it in the /tmp directory on the secondary Linux based machine.
8. On the secondary Linux based machine, copy the tenant-app-api.jar file from the Tenant App machine to the local machine:

9. On the secondary Linux based machine, execute the log4j-vulnerability-mitigation.sh script to patch the tenant-app-api.jar file:   

10. On the secondary Linux based machine, copy the patched tenant-app-api.jar file to the Tenant App machine:

11. Log back into the Tenant App machine as root via SSH or Console, pressing ALT+F1 in a Console to log in.
12. Replace the existing tenant-app-api.jar file present in the container with the patched jar file located in the /root directory:

13. Restart tenant-app-ui docker container:

To verify the workaround for CVE-2021-44228 has been correctly applied to the vRealize Operations Tenant App machine, perform the following steps:

1. Log into the Tenant App machine as root via SSH or Console, pressing ALT+F1 in a Console to log in.
2. Run the following commands in sequential order:

• mkdir -p /root/temp
• unzip /root/tenant-app-api.jar -d /root/temp
• find /root/temp -type f -name "*.jar" | grep "log4j-core*"
• zipinfo -1 /root/temp/BOOT-INF/lib/log4j-core-2.11.2.jar | grep "org/apache/logging/log4j/core/lookup/JndiLookup.class"

To revert the workaround for CVE-2021-44228 to vRealize Operations Tenant App, perform the following steps:

1. Revert to the snapshot taken of each node prior to implementing the workaround.

Change Log:

• December 23rd 2021 - 9:22 MST:    Drafted initial document with initial workaround.

Impact/Risks:
It is highly recommended to take snapshots of the vRealize Operation Tenant.
Note: These snapshots are required if you should have to revert the workaround for any reason.