HOWTO: Python script for VMSA-2021-0028 vulnerability remediation on vCenter Server Appliance (87088)
Purpose
This KB will help to automate the workaround steps described in KB https://kb.vmware.com/s/article/87081.
Before proceeding, please refer following links for more information:
Workaround instructions to address CVE-2021-44228 in vCenter Server and vCenter Cloud Gateway
VMware Security Advisory – VMSA-2021-0028
Highlighted sections indicate the most recent updates.
See the Change log at the end of this article for all changes and subscribe to the article for updates.
Impact / Risks
VCHA needs to be removed before executing the steps in this KB article.
Environments with external PSCs need to have the script executed on both vCenter and PSC appliances.
Resolution
Please refer to the Resolution section in KB Workaround instructions to address CVE-2021-44228 in vCenter Server and vCenter Cloud Gateway.
IMPORTANT:
After finishing the steps here, you MUST complete the remediation process by running the remove_log4j_class.py script in https://kb.vmware.com/s/article/87081.
Workaround
Please follow the below steps to automate the workaround steps mentioned in KB87081 :
How to execute the script on vCenter Server Appliance:
Download the script attached this KB (vmsa-2021-0028-kb87081.py)
Transfer the file to /tmp folder on vCenter Server Appliance using WinSCP or follow below steps to copy paste the script contents to VCSA using Putty
- Login to the vCSA using an SSH Client (using Putty.exe or any similar SSH Client)
- Open the script on your desktop in Notepad (Notepad++ is preferred)
- Copy the entire contents (Ctrl + C)
- On VCSA, create a new file using vi command
- vi /tmp/vmsa-2021-0028-kb87081.py
- Press the key ‘i’ to change vi editor to write/insert mode
- Right Click on the screen to Paste the script contents Copied from the previous step
- Save the Contents using Keys (Press Esc and then :wq! followed by Enter key)
- Execute the script using the command “python /tmp/vmsa-2021-0028-kb87081.py”
- Script will prompt for users input to confirm the services restart as all the services needs to be restarted to implement the workaround, Enter ‘y’ or ‘Y’ if you want to proceed with the script
- Script will proceed further and the status will be displayed on the screen, sample screenshots for successful executions are available in Related Information of this KB.
- Once complete, return to https://kb.vmware.com/s/article/87081 and follow the steps to “Run the remove_log4j_class.py script“
Change log:
- December 13th 2021 – 10:30 PST: Updated the attached python script with resolution for error message “Encountered an internal error.\n\nInstall-parameter deployment.node.type not set”
- December 14th 2021 – 12:21 PST: Added hyperlink to the script name mentioned in the first step “Download the script attached this KB”
- December 14th 2021 – 12:21 PST: Added vCenter Version details in Sample Screenshot in Related Information Section
- December 14th 2021 – 15:17 PST: Corrected typo in the script – “Successfully” to “Successfully”
- December 16th 2021 – 14:30 PST: Added instructions to return to KB 87081 and finalize the remediation by running the remove_log4j_class.py script there
Sample Screenshot from VCSA 7.0:
Sample Screenshot from VCSA 6.7 U3o (6.7.0.50000 build 18485166) or older builds:
Sample Screenshot from VCSA 6.7 U3p (build 18831133) or higher builds: