Note: Official patches have been released on vRSLCM versions to address the log4j vulnerabilities. It is recommended to install patches to address the vulnerabilities. The patches can be applied independent of whether the steps in the KB were applied earlier or not. The steps in the KB are an interim workaround until the release of the official patches.
For more details on patch please visit the release notes:
8.1.0: VMware-vRealize-Suite-Lifecycle-Manager-81-Patch-2
8.2.0:VMware-vRealize-Suite-Lifecycle-Manager-82-Patch-3
8.3.0:VMware-vRealize-Suite-Lifecycle-Manager-83-Patch-3
8.4.0:VMware-vRealize-Suite-Lifecycle-Manager-84-Patch-1
8.4.1:VMware-vRealize-Suite-Lifecycle-Manager-841-Patch-3
8.6.0:VMware-vRealize-Suite-Lifecycle-Manager-86-Patch-1
Resolution:
The workarounds described in this document are meant to be a temporary solution only.
The official patches mentioned above should be applied to remediate CVE-2021-44228 and CVE-2021-45046
Workaround:
1. Take a snapshot of vRealize Suite Lifecycle Manager appliance
2. Copy the attached log4jfix.sh file to the /tmp directory
3. Log into vRSLCM appliance using root via SSH
4. Change to the /tmp directory
cd /tmp
5. Run the following command to make the log4jfix.sh script executable:
6. chmod +x log4jfix.sh
7. Run the following command to execute the script:
./log4jfix.sh
Note: if you encounter the below error while executing the script rename the old version of vRSLCM SNAPSHOT.jar file and rerun the script./log4jfix.sh: line 4: [: vmlcm-service-8.1.1-SNAPSHOT.jar: binary operator expected
vRSLCM services jar does not exist
Steps to rename:
cd /var/lib/vrlcm
2. Run the below command to rename the file
mv vmlcm-service-8.1.1-SNAPSHOT.jar vmlcm-service-8.1.1-SNAPSHOT_old.jar