HOWTO: Workaround to address CVE-2021-44228 in Workspace ONE Access Appliance (87090)
Purpose
CVE-2021-44228 has been determined to impact Workspace ONE Access via the Apache Log4j open source component it ships. This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:
- CVE-2021-44228 – VMSA-2021-0028
Impact / Risks
Possible compromise due to crafted API calls
List of affected versions 21.08.0.1 – VMware Workspace ONE Access Appliance
21.08.0.0 – VMware Workspace ONE Access Appliance
20.10.0.1 – VMware Workspace ONE Access Appliance
20.10.0.0 – VMware Workspace ONE Access Appliance
List of affected versions 21.08.0.1 – VMware Workspace ONE Access Appliance
21.08.0.0 – VMware Workspace ONE Access Appliance
20.10.0.1 – VMware Workspace ONE Access Appliance
20.10.0.0 – VMware Workspace ONE Access Appliance
Resolution
***The workarounds described in this document are meant to be a temporary solution only.
Upgrades documented in the aforementioned advisory should be applied to remediate CVE-2021-44228 when available.***
Workaround
NOTE:
- It is recommended to upgrade instances of unsupported versions to newer, supported versions first before applying the workaround. This procedure may not work for older unsupported versions. Please refer to the VMware Lifecycle Matrix for a list supported versions of the product.
- It is strongly recommended to take a snapshot of the appliance before applying the procedure
Steps :
- Login as sshuser, sudo to root
- Edit the /opt/vmware/horizon/workspace/bin/setenv.sh file.
- Find the “JVM_OPTS=” section, and find the following configuration line:
-Dset.rmi.server.hostname=true \
Under that line insert the following configuration, and save the file:
-Dlog4j2.formatMsgNoLookups=true \
- Restart the horizon-workspace service using the command
service horizon-workspace restartNOTE: Steps 5 through 7 are needed only if certproxy for android SSO is configured
- Edit the /opt/vmware/certproxy/bin/cert-proxy.sh file
- Find the JAVA_OPTS= section. and find the following configuration line:
JAVA_OPTS=”-Dcatalina.base=/opt/vmware/horizon/workspace \
Under that line insert the following configuration, and save the file:
-Dlog4j2.formatMsgNoLookups=true \
- Restart the certproxy service using the command
/etc/init.d/vmware-certproxy restart
- Edit the /opt/vmware/elasticsearch/config/jvm.options file
- Find the following configuration line:
-Dlog4j2.disable.jmx=true
Under that line insert the following configuration, and save the file:
-Dlog4j2.formatMsgNoLookups=true - Restart the elasticsearch service using the command
service elasticsearch restart
Alternatively use the attached script log4j.sh to make changes.
- Download the attached log4j.sh file and scp to the /tmp directory of the appliance
- Login into appliance as sshuser, sudo to root level access
- Change to the /tmp directory
cd /tmp
- Run the following command to make the log4j.sh script executable:
chmod +x log4j.sh
- Run the following command to execute the script:
./log4j.sh