Purpose
CVE-2021-44228 has been determined to impact VCO via the Apache Log4j open source component it ships. This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA).
Please review this document before continuing:
- CVE-2021-44228 – VMSA-2021-0028
Note: **CVE-2021-45105 vulnerability is not exploitable based on the use and configuration of Log4j in the VCO**
See the Change log at the end of this article for all changes and subscribe to the article for updates.
Resolution
The workarounds described in this document are meant to be a temporary solution only. Upgrades documented in the aforementioned advisory should be applied to remediate CVE-2021-44228 when available.
** Please note all of our Hosted Customer VCOs are being mitigated with this solution with completion expected by end of the day Friday, 12-17-2021 UTC **
Workaround
Notice: On December 14, 2021 the Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 workarounds was not sufficient. We believe the instructions in this article to be an effective mitigation for CVE-2021-44228, but in the best interest of our customers we must assume this workaround may not adequately address all attack vectors.
We expect to fully address both CVE-2021-44228 and CVE-2021-45046 by updating log4j to version 2.16 in forthcoming releases of VCO, as outlined by our software support policies. VMSA-2021-0028 will be updated when these releases are available.
Note: There is no impact, loss of services, or access to the VCO during or after performing this workaround.
To apply the workaround for CVE-2021-44228 to VCO perform the following steps:
- Download Python Script attached to this KB “mitigate-log4j.py”
- Copy Python Script to VCO using an account with sudo access (vcadmin can be used) –
- scp <PATH to Python Script>/mitigate-log4j.py <USER>@<VCO>:/home/<USER>/mitigate-log4j.py
- SSH to VCO with the user account used for SCP
- Verify File is copied to VCO
- ls
- Change Permissions of script:
- sudo chmod 0660 mitigate-log4j.py
- Switch to root user and copy script to root directory –
- sudo su
- cp mitigate-log4j.py /root/mitigate-log4j.py
- Verify that file is in /root/
- cd /root
- ls
- Create cron job
- vi /etc/cron.d/mitigate-log4j
- Once in VI, copy the below line and paste in VIM:
- */5 * * * * root python3 /root/mitigate-log4j.py
- Save File
- esc
- :wq!
- Change permission of cronjob
- chmod 0644 /etc/cron.d/mitigate-log4j
- After 5 minutes, verify that cronjob is running:
- grep CRON /var/log/syslog
To verify the workaround for CVE-2021-44228 has been correctly applied to VCO, perform the following steps:
- SSH to VCO using an account with sudo access (vcadmin can be used)
- Run command –
- sudo nsenter -t $(sudo lsns | grep vipservice.cross.domain.allowCredentials | grep net | awk ‘{ print $4 }’) -n sh -c ‘iptables -L’
- Verify that 2 new OUTPUT rules are in place: one ACCEPT and one REJECT
- Expected output:
To revert the workaround for CVE-2021-44228 to VCO perform the following steps:
- SSH to VCO using an account with sudo access (vcadmin can be used)
- Remove cronjob and script:
- sudo rm /etc/cron.d/mitigate-log4j
- sudo rm /root/mitigate-log4j.py
- Restart the VIP Container and the change will be reverted:
- sudo systemctl restart i18n
Related Information
Change log:
- December 15th, 2021 – Updated command for reverting change.
- December 15th, 2021 – Updated grammar and punctuation.
- December 15th, 2021 – Updated verification command.
- December 15th, 2021 – Updated grammar and punctuation.
- December 16th, 2021 – Updated verification command.
- December 16th, 2021 – Updated Resolution section confirming Hosted Customer VCOs are being mitigated with workaround application.
- December 17th, 2021 – Updated Resolution section with persistent fix instructions, Impact/Risks section adjusted, uploaded “mitigate-log4j.py” python script, formatting changes.
- December 17th, 2021 – Updated Hosted Customer VCO mitigation completion date to include actual date 12-17-2021.
- December 22nd, 2021 – Updated Purpose section to verify CVE-2021-45105 vulnerability is not exploitable in our VCOs.
- December 22nd, 2021 – Included Note in Workaround section elaborating there is no impact or loss of services when performing the workaround.