- The workaround described in this document is meant to be a temporary solution only.
- Upgrades documented in the aforementioned advisory should be applied to remediate CVE-2021-44228 and CVE-2021-45046 when they become available.
Workaround:
Notice: The below content has been updated as of 12/16/2021 to add workaround steps for the related CVE-2021-45046 as noted above. Please run all the steps below even if you have already implemented the original CVE-2021-44228 workaround steps by running the “li-log4j-fix.sh” script.To apply the workaround for CVE-2021-44228 and CVE-2021-45046 to vRealize Log Insight, perform the following steps for each vRealize Log Insight node in the cluster:
- Copy the attached li-log4j-fix.tar.gz file to the /tmp directory using a utility like WinSCP or FileZilla
- Log into the node as root via SSH or Console, pressing ALT+F1 in a Console to log in.
Note: If you are unable to connect to vRealize Log Insight as services are not started, or the virtual machine hangs on boot, or boots but is inaccessible, with messages on the console stating "no network found", refer to this article:
The vRealize Log Insight root partition is full (82170)
- Change to the /tmp directory on all nodes
cd /tmp
- Untar the li-log4j-fix.tar.gz file
tar xzf li-log4j-fix.tar.gz
- Run the following commands to make the li-log4j-fix-def.sh and li-log4j-fix-class.sh scripts executables:
chmod +x li-log4j-fix-def.sh
chmod +x li-log4j-fix-class.sh
- Run the following commands on all nodes to execute the scripts:
./li-log4j-fix-def.sh
./li-log4j-fix-class.sh
Note: Ensure there are no ERROR messages in the script output
- Restart the vRealize Log Insight service:
service loginsight restart
- Make sure that the service is up before proceeding to the next node
service loginsight status
Note: If the service is running, you will see the following in the output from the above command:
Active: active (exited)
Verify the workaround
To verify the workarounds for CVE-2021-44228 and CVE-2021-45046 have been correctly applied to vRealize Log Insight, perform the following steps:
- Log into each node as root via SSH or Console, pressing ALT+F1 in a Console to log in
- Run the following command to verify if the workaround was successful:
ps axf | grep --color log4j2.formatMsgNoLookups | grep -v grep
Note: There should be an output from the above command.
If there was no output on any particular node(s), that node(s) was not successfully modified.
Re-run the script on that node(s) following the instructions above and check again for output.
- Re-run the li-log4j-fix-class.sh to re-check:
./li-log4j-fix-class.sh
Note: The following output is expected if the workaround was successfully applied:
Searching for impacted .jar files. Please wait...
No impacted .jar files found
Note: To revert the workaround for CVE-2021-44228 and CVE-2021-45046 to vRealize Log Insight: revert to the snapshot taken of each node prior to implementing the workaround