Python script to automate the workaround steps of VMSA-2021-0028 vulnerability on vCenter Server Appliance
Article ID: 318882
Updated On:
Products
VMware vCenter Server
Issue/Introduction
This KB will help to automate the workaround steps described in KB https://kb.vmware.com/s/article/87081.
Before proceeding, please refer following links for more information:
Workaround instructions to address CVE-2021-44228 in vCenter Server and vCenter Cloud Gateway
VMware Security Advisory - VMSA-2021-0028
Highlighted sections indicate the most recent updates. See the Change log at the end of this article for all changes and subscribe to the article for updates.
Before proceeding, please refer following links for more information:
Workaround instructions to address CVE-2021-44228 in vCenter Server and vCenter Cloud Gateway
VMware Security Advisory - VMSA-2021-0028
Highlighted sections indicate the most recent updates. See the Change log at the end of this article for all changes and subscribe to the article for updates.
Environment
VMware vCenter Server 7.0.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server Appliance 6.5.x
Resolution
IMPORTANT: The steps in this article are now obsolete due to the release of vc_log4j_mitigator.py. Please use KB 87081 to remediate the vCenter Server Appliance.
Please refer to the Resolution section in KB Workaround instructions to address CVE-2021-44228 in vCenter Server and vCenter Cloud Gateway.
IMPORTANT: After finishing the steps here, you MUST complete the remediation process by running the remove_log4j_class.py script in https://kb.vmware.com/s/article/87081.
Workaround:
Please follow the below steps to automate the workaround steps mentioned in KB87081 :
How to execute the script on vCenter Server Appliance:
Please refer to the Resolution section in KB Workaround instructions to address CVE-2021-44228 in vCenter Server and vCenter Cloud Gateway.
IMPORTANT: After finishing the steps here, you MUST complete the remediation process by running the remove_log4j_class.py script in https://kb.vmware.com/s/article/87081.
Workaround:
Please follow the below steps to automate the workaround steps mentioned in KB87081 :
How to execute the script on vCenter Server Appliance:
- Download the script attached this KB (vmsa-2021-0028-kb87081.py )
- Transfer the file to /tmp folder on vCenter Server Appliance using WinSCP or follow below steps to copy paste the script contents to VCSA using Putty
- Login to the vCSA using an SSH Client (using Putty.exe or any similar SSH Client)
- Open the script on your desktop in Notepad (Notepad++ is preferred)
- Copy the entire contents (Ctrl + C)
- On VCSA, create a new file using vi command
- vi /tmp/vmsa-2021-0028-kb87081.py
- Press the key 'i' to change vi editor to write/insert mode
- Right Click on the screen to Paste the script contents Copied from the previous step
- Save the Contents using Keys (Press Esc and then :wq! followed by Enter key)
- Execute the script using the command "python /tmp/vmsa-2021-0028-kb87081.py"
- Script will prompt for users input to confirm the services restart as all the services needs to be restarted to implement the workaround, Enter 'y' or 'Y' if you want to proceed with the script
- Script will proceed further and the status will be displayed on the screen, sample screenshots for successful executions are available in Related Information of this KB.
- Once complete, return to https://kb.vmware.com/s/article/87081 and follow the steps to "Run the remove_log4j_class.py script"
Additional Information
Change log:
Sample Screenshot from VCSA 7.0:
Sample Screenshot from VCSA 6.7 U3o (6.7.0.50000 build 18485166) or older builds:
Sample Screenshot from VCSA 6.7 U3p (build 18831133) or higher builds:
Impact/Risks:
- December 13th 2021 - 10:30 PST: Updated the attached python script with resolution for error message "Encountered an internal error.\n\nInstall-parameter deployment.node.type not set"
- December 14th 2021 - 12:21 PST: Added hyperlink to the script name mentioned in the first step "Download the script attached this KB"
- December 14th 2021 - 12:21 PST: Added vCenter Version details in Sample Screenshot in Related Information Section
- December 14th 2021 - 15:17 PST: Corrected typo in the script - "Successfully" to "Successfully"
- December 16th 2021 - 14:30 PST: Added instructions to return to KB 87081 and finalize the remediation by running the remove_log4j_class.py script there
- December 18th 2021 - 10:00 PST: Updated script to skip VUM changes if VC is Cloud Gateway Appliance. Also, added an error check to handle failure in reading the actual VC version from file /etc/issue.
- December 21st 2021 - 10:30 PST: Marked article as obsolete. Only use this article as reference to past steps going forward.
Sample Screenshot from VCSA 7.0:
Sample Screenshot from VCSA 6.7 U3o (6.7.0.50000 build 18485166) or older builds:
Sample Screenshot from VCSA 6.7 U3p (build 18831133) or higher builds:
Impact/Risks:
- VCHA needs to be removed before executing the steps in this KB article.
- Environments with external PSCs need to have the script executed on both vCenter and PSC appliances.
Attachments
Feedback
Yes
No
Powered by
