The workarounds described in this document are meant to be a temporary solution only.
Upgrades documented in the aforementioned Advisory should be applied to remediate CVE-2021-44228 when available.
Workaround:
NOTE:
STEPS:
Use the attached script log4j_20Dec2021.sh to make changes. This script removes JNDILookup.class from log4j and embedded jars
cd /var/tmp
chmod +x log4j_20Dec2021.sh
./log4j_20Dec2021.sh
Steps to ensure there is no vulnerability present. Run the following command
Run the following command, and view output to see no files listed, indicating vulnerable files not present
cat /tmp/validation.txt
Login as sshuser, sudo to root level access
-Dset.rmi.server.hostname=true \
Under that line insert the following new line, and save the file:
-Dlog4j2.formatMsgNoLookups=true \
service horizon-workspace restart
NOTE: Steps 6 through 7 are needed only if certproxy for android SSO is configured
/etc/init.d/vmware-certproxy restart
-Dlog4j2.disable.jmx=true
Under that line insert the following configuration, and save the file:
-Dlog4j2.formatMsgNoLookups=true
service elasticsearch restart
Note: If you are running a cluster deployment, repeat the steps above on all additional nodes of the cluster.
Validation Steps for if Workaround has been successfully applied
Procedure for Windows Connectors
checkConnectorJndiWindows.bat
"C:\Program Files\7-Zip\7z" d -tzip "<detected vulnerable file path>" org/apache/logging/log4j/core/lookup/JndiLookup.class
where "<detected vulnerable file path>" is a file reported by the scanner.
To revert the CVE-2021-44228 workaround, you can revert to the snapshot taken before applying these steps. Alternatively, revert the changes made to the individual configuration files and restart the services.
Change Log:
December 11th 2021 12:00PM PST: First version published of Workaround
December 13th 2021 3:05PM PST: Added script to automate changes
December 14th 2021 9:40AM PST: Added link to Lifecycle Matrix
December 17th 2021 2:48PM PST: Added updated script to remove JndiLookup.class
December 17th 2021 5:42PM PST: Added a Windows script to remove JndiLookup.class
December 20th 2021 8:15AM PST: Replaced log4j_17Dec2021.sh with log4j_20Dec2021.sh to remove .zip files and extracted files to save space
December 20th 2021 4:00PM PST: Added script checkConnectorJndiWindows.bat to determine vulnerable files were found
December 21st 2021 11:30AM PST: Script applyPatchJndiWindows17Dec2021.bat updated to fix a typo and renamed as applyPatchJndiWindows21Dec2021.bat
June 26th 2024 11:43AM IST : Removed hyperlinks pointing to salesforce and renamed VMware Lifecycle matrix to Broadcom Product Lifecycle
Impact/Risks:
Possible compromise due to crafted API calls
List of affected versions
3.3.5 - VMware Identity Manager
3.3.4 - VMware Identity Manager
3.3.3 - VMware Identity Manager