CVE-2021-44228 & CVE-2021-45046 has been determined to potentially impact VMware NSX-T Data Center via the Apache Log4js open-source component it ships. This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:
December 22nd, 2021 Note: The previous version of the workaround distributed on December 17th, 2021, omitted some JndiLookup class files embedded in internal services within NSX-T. Due to an abundance of caution, we have updated the Debian package to remove additional occurrences of java class files. This updated package is comprehensive and includes the previous workarounds. VMware recommends applying the new Debian package 'unified-appliance-log4j2-patch_3.1.3.6.0.19099859_all.deb' if you have not already completed the previous workaround. There are no known exploits of the aforementioned internal services for customers who have already used the earlier Debian package, 'unified-appliance-log4j2-patch_3.1.3.6.0.19078151_all.deb
1. Take an SFTP Backup of your NSX-T Manager.
Reference the following document for guidance, if needed: https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-E6181BF1-2CB7-4870-B508-BFAF5B47D702.html
2. Download the Debian package 'unified-appliance-log4j2-patch_3.1.3.6.0.19099859_all.deb' from the attachment section on the right side of this KB article.
3. Copy the Debian package provided on this KB article to all three of the NSX-T Manager appliances. The use of WinSCP, Linux based SCP, or any like method is recommended
4. Login to the NSX-T Unified Appliance via SSH and using the admin account.
If SSH is not enabled, log in to vCenter Server and open the VM console of the NSX-T Manager. To start the SSH Service, run command: start service ssh
5. Switch to root user:
st en
Enter the root password when prompted.
6. Install the Debian package with the following command, run in the directory in which you've copied the Debian package to on the NSX-T Unified Appliance.
dpkg -i unified-appliance-log4j2-patch_3.1.3.6.0.19099859_all.deb
7. Reboot the system:
/sbin/reboot
Warning: Do not reboot several NSX-T Manager appliances at the same time. Ensure the cluster services stabilize, prior to proceeding to the next NSX-T Manager appliance.
To monitor NSX-T Manager cluster services, at the 'admin' level of SSH, use the following command:
get cluster status
Verification Steps
To verify the workaround for CVE-2021-44228 & CVE-2021-45046 has been correctly applied to each NSX-T Manager Appliance, perform the following steps with root access via SSH on the appliance:
Step 1: Verify the configuration files have been updated with the “formatMsgNoLookup=true” flag.
grep "wrapper.java.additional.100=" /usr/tanuki/conf/*-wrapper.conf
Example of expected output:
Note: The number of files below will vary for NSX-T Manager and NSX-T Cloud Service
Manager. The presence of any number of files confirms that the workaround was
successfully applied.
/usr/tanuki/conf/async-replicator-service-wrapper.conf:wrapper.java.additional.100=-Dlog4j2.formatMsgNoLookups=true /usr/tanuki/conf/cluster-boot-manager-wrapper.conf:wrapper.java.additional.100=-Dlog4j2.formatMsgNoLookups=true /usr/tanuki/conf/cm-inventory-tomcat-wrapper.conf:wrapper.java.additional.100=-Dlog4j2.formatMsgNoLookups=true /usr/tanuki/conf/corfu-log-replication-server-wrapper.conf:wrapper.java.additional.100=-Dlog4j2.formatMsgNoLookups=true /usr/tanuki/conf/corfu-nonconfig-server-wrapper.conf:wrapper.java.additional.100=-Dlog4j2.formatMsgNoLookups=true /usr/tanuki/conf/corfu-server-wrapper.conf:wrapper.java.additional.100=-Dlog4j2.formatMsgNoLookups=true /usr/tanuki/conf/cross-cloud-upgrade-coordinator-tomcat-wrapper.conf:wrapper.java.additional.100=-Dlog4j2.formatMsgNoLookups=true /usr/tanuki/conf/idps-reporting-service-wrapper.conf:wrapper.java.additional.100=-Dlog4j2.formatMsgNoLookups=true /usr/tanuki/conf/intelligence-upgrade-coordinator-tomcat-wrapper.conf:wrapper.java.additional.100=-Dlog4j2.formatMsgNoLookups=true /usr/tanuki/conf/migration-coordinator-tomcat-wrapper.conf:wrapper.java.additional.100=-Dlog4j2.formatMsgNoLookups=true /usr/tanuki/conf/nsx-ccp-wrapper.conf:wrapper.java.additional.100=-Dlog4j2.formatMsgNoLookups=true /usr/tanuki/conf/phonehome-coordinator-tomcat-wrapper.conf:wrapper.java.additional.100=-Dlog4j2.formatMsgNoLookups=true /usr/tanuki/conf/policy-tomcat-wrapper.conf:wrapper.java.additional.100=-Dlog4j2.formatMsgNoLookups=true /usr/tanuki/conf/proton-tomcat-wrapper.conf:wrapper.java.additional.100=-Dlog4j2.formatMsgNoLookups=true /usr/tanuki/conf/proxy-tomcat-wrapper.conf:wrapper.java.additional.100=-Dlog4j2.formatMsgNoLookups=true /usr/tanuki/conf/search-wrapper.conf:wrapper.java.additional.100=-Dlog4j2.formatMsgNoLookups=true /usr/tanuki/conf/upgrade-coordinator-tomcat-wrapper.conf:wrapper.java.additional.100=-Dlog4j2.formatMsgNoLookups=true
Step 2: Verify the JndiLookup class was removed from all jar files on the appliance.
find /usr /opt -xdev -iname "*.jar" | while read l; do unzip -l $l|grep "JndiLookup.class"; if [[ ${PIPESTATUS[1]} -eq 0 ]]; then echo $l; fi; done
Expected Return: None
Note: If any files are found with the above command, please contact VMware Support.
To revert the workaround for CVE-2021-44228 & CVE-2021-45046 to VMware NSX-T Data Center perform the following steps on each NSX-T Manager or NSX-T Cloud Service Manager.
A malicious actor with network access to an impacted VMware product may exploit this issue to invoke remote code execution. However, there are multiple layers of protection in NSX-T that will make exploiting CVE-2021-44228 & CVE-2021-45046 difficult:
Note: NSX-T Edge VM's and Bare Metal Edge Nodes are not affected by this issue.
Note: If the below workaround is applied to an NSX-T Manager, and that NSX-T Manager is subsequently upgraded to a newer vulnerable version of NSX-T, the workaround must be re-applied post upgrade.
Note: This workaround will have to be re-applied on the post-restore NSX-T Managers or NSX-T Cloud Service Managers if an environment is restored from backup.