HOWTO: Workaround to address CVE-2021-44228 in Workspace ONE Access Appliance (87090)

Purpose

CVE-2021-44228 has been determined to impact Workspace ONE Access via the Apache Log4j open source component it ships.  This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:

Impact / Risks
Possible compromise due to crafted API calls
List of affected versions 21.08.0.1   – VMware Workspace ONE Access Appliance
21.08.0.0  – VMware Workspace ONE Access Appliance
20.10.0.1   – VMware Workspace ONE Access Appliance
20.10.0.0  – VMware Workspace ONE Access Appliance

Resolution
***The workarounds described in this document are meant to be a temporary solution only. 
Upgrades documented in the aforementioned advisory should be applied to remediate CVE-2021-44228 when available.***
Workaround

NOTE:

  • It is recommended to upgrade instances of unsupported versions to newer, supported versions first before applying the workaround. This procedure may not work for older unsupported versions. Please refer to the VMware Lifecycle Matrix for a list supported versions of the product.
  • It is strongly recommended to take a snapshot of the appliance before applying the procedure

Steps : 

  1. Login as sshuser, sudo to root
  1. Edit the /opt/vmware/horizon/workspace/bin/setenv.sh file.
  1. Find the “JVM_OPTS=” section, and find the following configuration line:
    -Dset.rmi.server.hostname=true \
    Under that line insert the following configuration, and save the file:
    -Dlog4j2.formatMsgNoLookups=true \
  1. Restart the horizon-workspace service using the command
    service horizon-workspace restartNOTE: Steps 5 through 7 are needed only if certproxy for android SSO is configured
  1. Edit the /opt/vmware/certproxy/bin/cert-proxy.sh file
  1. Find the JAVA_OPTS= section. and find the following configuration line:
    JAVA_OPTS=”-Dcatalina.base=/opt/vmware/horizon/workspace \
    Under that line insert the following configuration, and save the file:
    -Dlog4j2.formatMsgNoLookups=true \
  1. Restart the certproxy service using the command
    /etc/init.d/vmware-certproxy restart
  1. Edit the /opt/vmware/elasticsearch/config/jvm.options file
  1. Find the following configuration line:
    -Dlog4j2.disable.jmx=true
    Under that line insert the following configuration, and save the file:
    -Dlog4j2.formatMsgNoLookups=true
  2. Restart the elasticsearch service using the command

service elasticsearch restart

Alternatively use the attached script log4j.sh to make changes.

  1. Download the attached log4j.sh file and scp to the /tmp directory of the appliance
  2. Login into appliance as sshuser, sudo to root level access
  3. Change to the /tmp directory

cd /tmp

  1. Run the following command to make the log4j.sh script executable:

chmod +x log4j.sh

  1. Run the following command to execute the script:

./log4j.sh