Address CVE-2021-44228
search cancel

Address CVE-2021-44228

book

Article ID: 345118

calendar_today

Updated On:

Products

VMware Telco Cloud Operations

Issue/Introduction

CVE-2021-44228 has been determined to impact VMware Telco Cloud Operations 1.4 due to the Apache Log4j open source component it ships.

On December 14, 2021 the Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 workarounds was not sufficient. We believe the instructions in this article to be an effective mitigation for CVE-2021-44228, but in the best interest of our customers we must assume this workaround may not adequately address all attack vectors.

 
We expect to fully address both CVE-2021-44228 and CVE-2021-45046 by updating log4j to version 2.16 in forthcoming releases of “VMware Telco Cloud Operations”, as outlined by our software support policies. VMSA-2021-0028 will be updated when these releases are available. 

In the interim, we have updated this Knowledge Base article with revised guidance to remove all JndiLookup classes per Apache Software Foundation guidance. Please subscribe to this article to be informed when updates are published.

Environment

1.4

Resolution

The following container Services of VMware Telco Cloud Operations 1.4 include a vulnerable log4j version under CVE-2021-44228

  • NotificationService
  • Apiservice

However, the vulnerability is not exploitable, since they are Spring Boot applications that don't override the default logger; see Log4J2 Vulnerability and Spring Boot.

ElasticSearch  Container Service uses a vulnerable Log4j version but this is also not exploitable as per the Advisory.

A patch has been released under Telco Cloud Operations 1.4.0.1. The following container services have upgraded the log4j-core component to version 2.16:

  • Omega-alerting
  • omega-enrichment
  • omega-streaming
  • k4m-rest
  • TopologyService
  • MetricService

Read the TCSO 1.4.0.1 Release Notes for more information. 

Additional Information

Change Log: 

  • 22-December-2021 : Resolution section has been updated with patch release information. 

An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. However, there are different layers of protection in VMware Telco Cloud Operations will make exploiting CVE-2021-44228 difficult.

This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), review this document before continuing: