Workaround instructions to address CVE-2021-44228 and CVE-2021-45046 in affected vRealize Operations Management Packs
search cancel

Workaround instructions to address CVE-2021-44228 and CVE-2021-45046 in affected vRealize Operations Management Packs

book

Article ID: 339868

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

CVE-2021-44228 has been determined to impact vRealize Operations 8.0.x - 8.6 via the Apache Log4j open source component it ships.  This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:
Management Packs Affected:
  • vRealize Operations Aggregator Management Pack 2.0
  • vRealize Operations Management Pack for CloudHealth 1.2
  • vRealize Operations Management Pack for Google Cloud Platform 1.2
  • vRealize Operations Management Pack for Horizon 1.2.1
  • vRealize Operations Management Pack for Kubernetes 1.5.2
  • vRealize Operations Management Pack for Kubernetes 1.6
  • vRealize Operations Management Pack for NSX on vSphere 3.7.1
  • vRealize Operations Management Pack for SDDC 8.2
  • vRealize Operations Management Pack for SDDC 8.4
  • vRealize Operations Management Pack for SDDC 8.6
  • vRealize Operations Management Pack for Skyline 2.0.
  • vRealize Operations Management Pack for Skyline 2.1
  • vRealize Operations Management Pack for SNMP 3.1
  • vRealize Operations Management Pack for SNMP 3.2
  • vRealize Operations Management Pack for vCloud Director 5.4
  • vRealize Operations Management Pack for vCloud Director 5.5
  • vRealize Operations Management Pack for vCloud Director 8.6
  • vRealize Operations Management Pack for VMware Identity Manager 1.1.1
  • vRealize Operations Management Pack for VMware Identity Manager 1.2
  • vRealize Operations Management Pack for VMware Identity Manager 1.3
  • vRealize Operations Management Pack for VMware Integrated OpenStack 6.1
  • vRealize Operations Management Pack for VMware Integrated OpenStack 6.2
  • vRealize Operations Management Pack for vRealize Orchestrator 3.2
  • vRealize Operations Management Pack for Storage Devices 8.4
  • vRealize Operations Tenant App for VMware Cloud 2.4
  • vRealize Operations Tenant App for VMware Cloud 2.5
  • vRealize Operations Tenant App for VMware Cloud 2.6.1
  • vRealize Operations Tenant App for VMware Cloud Director 8.6
Note: Both on-prem and cloud deployments are affected.

vRealize Operations Cloud Deployments:
We have taken the necessary actions to protect your environment from exploitation due to CVE-2021-44228. The vRealize Operations Cloud services have already been patched.  Any Cloud Proxy appliances deployed on your local site(s) must have the workaround implemented manually by following the steps in the article.

Environment

VMware vRealize Operations 8.x

Resolution

  1. Follow the resolution steps in KB 87076 for vRealize Operations.
  2. Upgrade any installed affected management packs to a fixed version. See the list of fixed management pack versions below, with a link to download it from VMware Downloads.


Additional Information

Change Log:
  • April 13th 2021 - 12:11 PM MT: Initial draft


Impact/Risks:
It is highly recommended to take snapshots of the vRealize Operations nodes following How to take a Snapshot of vRealize Operations.
Note: These snapshots are required if you should have to revert the workaround for any reason.