Workaround to address CVE-2021-44228 in vRealize Suite Lifecycle Manager 8.x with screenshots

Updated: Apr 24


 

Steps mentioned in this article are taken from VMware's KB article: 87097 . The only difference is that this blog has screenshots which would be helpful while implementing the patch

 

I've documented these steps with screenshots and outputs in this PDF too. Click to download and see detailed outputs which would be available when workaround is implemented


CVE-2021-44228 _vRSLCM_8.x_Workaround_Implementation _with_screenshots.
.pdf
Download PDF • 661KB


 

NOTE:


If you have deployed vRSLCM on earlier releases of 8.x that's 8.0 or 8.1 then there is a chance that we have a left over file with the name " vmlcm-service-8.1.x-SNAPSHOT.jar " or " vmlcm-service-8.0.x-SNAPSHOT.jar " then the workaround will fail with the message " vRSLCM services jar does not exist "





To fix this issue , move this old file to a different location and then execute the script


The structure of the folder would always be like below. The one vmlcm-service-8.6.0-SNAPSHOT.jar indicates that this is the current file the service uses. It has version indicator too.



Remember , the workaround works only for version vRSLCM 8.2 onwards....

 

Details


CVE-2021-44228 has been determined to impact vRealize Suite Lifecycle Manager 8.2.0 - 8.6.x via the Apache Log4j open source component it ships. This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing.


CVE-2021-44228 - VMSA-2021-0028


 

Resolution


The workarounds described in this document are meant to be a temporary solution only.

Upgrades documented in the aforementioned advisory should be applied to remediate CVE-2021-44228 when available.

 

Workaround


Step:1

Take a snapshot of vRealize Suite Lifecycle Manager appliance as shown below. Once can take snapshot from vCenter UI too






Step:2

Download and Copy the attached log4jfix.sh file from VMware's KB article: 87097 to the /tmp directory of vRSLCM appliance




Step:3


Change to the /tmp directory


   cd /tmp

Run the following command to make the log4jfix.sh script executable:


chmod +x log4jfix.sh




Step:4


Then execute the script as shown below


* indicates there are other lines in between. Detailed output is present in the PDF document attached




root@lcm [ /tmp ]# ./log4jfix.sh
Get the version of jar
vRSLCM version:  860
Blackstone version:  861
Archive:  vmlcm-service-8.6.0-SNAPSHOT.jar
   creating: META-INF/
  inflating: META-INF/MANIFEST.MF
   creating: org/
   creating: org/springframework/
   creating: org/springframework/boot/
   creating: org/springframework/boot/loader/
  inflating: org/springframework/boot/loader/Launcher.class
  inflating: org/springframework/boot/loader/JarLauncher.class
   creating: org/springframework/boot/loader/archive/
  inflating: org/springframework/boot/loader/archive/JarFileArchive$JarFileEntry.class
   creating: org/springframework/boot/loader/data/
*
*
*
 extracting: BOOT-INF/lib/spring-plugin-core-1.2.0.RELEASE.jar
 extracting: BOOT-INF/lib/spring-plugin-metadata-1.2.0.RELEASE.jar
 extracting: BOOT-INF/lib/mapstruct-1.2.0.Final.jar
 extracting: BOOT-INF/lib/springfox-swagger-ui-2.9.2.jar
updating: BOOT-INF/classes/log4j2.xml
        zip warning: Local Entry CRC does not match CD: BOOT-INF/classes/log4j2.xml
 (deflated 60%)
test of vmlcm-service-8.6.0-SNAPSHOT.jar OK
Zip action:  0
Waiting for vRLCM services to start.
Waiting for vRLCM services to start.
Waiting for vRLCM services to start.
Waiting for vRLCM services to start.
Waiting for vRLCM services to start.
Waiting for vRLCM services to start.
Waiting for vRLCM services to start.
Waiting for vRLCM services to start.
Waiting for vRLCM services to start.
Waiting for vRLCM services to start.
Archive:  blackstone-external-8.6.1.jar
   creating: META-INF/
  inflating: META-INF/MANIFEST.MF
   creating: org/
   creating: org/springframework/
   creating: org/springframework/boot/
   creating: org/springframework/boot/loader/
  inflating: org/springframework/boot/loader/Launcher.class
  inflating: org/springframework/boot/loader/JarLauncher.class
  
*
*
*

 extracting: BOOT-INF/lib/springfox-swagger-ui-2.9.2.jar
 extracting: BOOT-INF/lib/log4j-core-2.8.2.jar
 extracting: BOOT-INF/lib/log4j-api-2.8.2.jar
updating: BOOT-INF/classes/log4j2.xml
        zip warning: Local Entry CRC does not match CD: BOOT-INF/classes/log4j2.xml
 (deflated 61%)
test of blackstone-external-8.6.1.jar OK
Zip action:  0
Waiting for Blackstone services to start.
Waiting for Blackstone services to start.
Waiting for Blackstone services to start.
Waiting for Blackstone services to start.
 

The script is now implemented. It will approximately take 5 to 8 minutes to complete


 




50 views0 comments