CVE-2021-44228 has been determined to impact VMware Telco Cloud Operations 1.4 due to the Apache Log4j open source component it ships.
On December 14, 2021 the Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 workarounds was not sufficient. We believe the instructions in this article to be an effective mitigation for CVE-2021-44228, but in the best interest of our customers we must assume this workaround may not adequately address all attack vectors.
We expect to fully address both CVE-2021-44228 and CVE-2021-45046 by updating log4j to version 2.16 in forthcoming releases of “VMware Telco Cloud Operations”, as outlined by our software support policies. VMSA-2021-0028 will be updated when these releases are available.
In the interim, we have updated this Knowledge Base article with revised guidance to remove all JndiLookup classes per Apache Software Foundation guidance. Please subscribe to this article to be informed when updates are published.
1.4
The following container Services of VMware Telco Cloud Operations 1.4 include a vulnerable log4j version under CVE-2021-44228
However, the vulnerability is not exploitable, since they are Spring Boot applications that don't override the default logger; see Log4J2 Vulnerability and Spring Boot.
ElasticSearch Container Service uses a vulnerable Log4j version but this is also not exploitable as per the Advisory.
A patch has been released under Telco Cloud Operations 1.4.0.1. The following container services have upgraded the log4j-core component to version 2.16:
Read the TCSO 1.4.0.1 Release Notes for more information.
Change Log:
An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. However, there are different layers of protection in VMware Telco Cloud Operations will make exploiting CVE-2021-44228 difficult.
This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), review this document before continuing: