Notice: On December 14, 2021
the Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 workarounds was not sufficient. We believe the instructions in this article to be an effective mitigation for CVE-2021-44228, but in the best interest of our customers we must assume this workaround may not adequately address all attack vectors.
We expect to fully address both CVE-2021-44228 and CVE-2021-45046 by updating log4j to version 2.16 in forthcoming releases of VMware Site Recovery Manager and vSphere Replication, as outlined by our software support policies. This Knowledge Base article and
VMSA-2021-0028 will be updated when these releases are available. Please subscribe to this article to be informed when updates are published.
CVE-2021-44228 has been determined to impact Site Recovery Manager and vSphere Replication via the Apache Log4j open source component it ships. This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:
You can validate exposure on a replication/site recovery appliance by running the following command from a shell as the root user:
grep -R 'JndiLookup.class' /opt/vmware/
grep -R 'JndiLookup.class' /var/opt/apache-tomcat/If the mitigation has been successfully applied these command will not return results.
Verify the environment variables have been properly set (all in one line):
for pid in $( ps ax | grep java | grep -v grep | awk '{print $1}' ); do cat /proc/$pid/environ |tr '\0' '\n' | grep "LOG4J_FORMAT_MSG_NO_LOOKUPS"; doneNote: expected output multiple lines of "LOG4J_FORMAT_MSG_NO_LOOKUPS=true"
Highlighted sections indicate the most recent updates. See the Change log at the end of this article for all changes.