The workarounds described in this document are meant to be a temporary solution only.
Upgrades documented in the aforementioned advisory should be applied to remediate CVE-2021-44228 and CVE-2021-45046 when available.
Workaround:
Notice: The below content has been updated as of 12/15/2021 to add workaround steps for the related CVE-2021-45046 as noted above. Please re-run all of the below steps even if you have already implemented the original CVE-2021-44228 workaround steps by running the cp-log4j-fix.sh script.To apply the workaround for CVE-2021-44228 and CVE-2021-45046 to VMware Aria Operations (SaaS) Cloud Proxies, perform the following steps:
- Copy the attached cp-log4j-fix.sh and vrops-log4j-fix.sh files to the /tmp directory on all Cloud Proxies using an SCP utility.
- Log into each Cloud Proxy as root via SSH or Console, pressing ALT+F1 in a Console to log in.
- Change to the /tmp directory on all Cloud Proxies:
cd /tmp
- Run the following command on all Cloud Proxies to make the cp-log4j-fix.sh script executable:
chmod +x cp-log4j-fix.sh
- Run the following command on all Cloud Proxies to make the vrops-log4j-fix.sh script executable:
chmod +x vrops-log4j-fix.sh
- Run the following command on all Cloud Proxies to execute the cp-log4j-fix.sh script:
./cp-log4j-fix.sh
Note: Ensure there are no ERROR messages in the script output.
- Run the following command on all Cloud Proxies to execute the vrops-log4j-fix.sh script:
./vrops-log4j-fix.sh
Note: Ensure there are no ERROR messages in the script output.
- Run the following command on all Cloud Proxy nodes to restart the CaSA and Collector services:
service vmware-casa restart; service collector restart
To verify the workaround for CVE-2021-44228 has been correctly applied to VMware Aria Operations (SaaS) Cloud Proxies, perform the following steps:
- Log into each node as root via SSH or Console, pressing ALT+F1 in a Console to log in.
- Run the following command to verify if the data-rc-witness-log4j-fix.sh script was successful:
ps axf | grep --color log4j2.formatMsgNoLookups | grep -v grep
Note: There should be output from the above command. If there was no output on any particular node(s), that node(s) was not successfully modified. Re-run the script on that node(s) following the instructions above.
- Run the following command to verify if the vrops-log4j-fix.sh script was successful:
./tmp/vrops-log4j-fix.sh
Note: You should receive output reading:
Searching for impacted .jar files. Please wait...
No impacted .jar files found