CVE-2021-44228 has been determined to impact VMware Integrated OpenStack 7.0, 7.0.1, and 7.1 via the Apache Log4j open source component it ships.
This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:
CVE-2021-44228 - VMSA-2021-0028
7.x
Notice: this knowledge base article has been updated on December 16th, 2021 with a new hotpatch file. If the previous file has been installed please use the uninstall.sh script, and apply the new hotpatch with the same steps.
We should apply the hotpatch attached or upgrade to VMware Integrated OpenStack 7.2. Checksum values for the hotpatch are the following:
To apply the hotpatch for CVE-2021-44228 to VMware Integrated OpenStack 7.0, 7.0.1, or 7.1 perform the following steps:
If the hotpatch needs to be uninstalled at any time run this command from the directory: ./uninstall.sh
To verify installation after running the install.sh script:
root@vxlan-vm-111-161 [ ~/vio-patch-CVE-2021-44228 ]# docker images |grep javalib docker-registry.default.svc.cluster.local:5000/vmware/vio/javalib 7.1.0.17987093 453ac881448f 18 hours ago 414MB docker-registry.default.svc.cluster.local:5000/vmware/vio/javalib-bak 7.1.0.17987093 d35ebb51b4e6 8 months ago 414MB
A malicious actor with network access to an impacted VMware product may exploit this issue to invoke remote code execution. All versions of VMware Integrated OpenStack contain the log4j package to do LDAP validation, which doesn’t provide an endpoint to external access and is only running when user updates LDAP configuration. However, further exploit of the log message lookup feature might be possible.