CVE-2021-44228 and CVE-2021-45046 has been determined to impact vRealize Suite Lifecycle Manager 8.1.0 - 8.6.x via the Apache Log4j open source component it ships. This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:

CVE-2021-44228 - VMSA-2021-0028

Notice: On December 14, 2021 the Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 and CVE-2021-45046 workarounds was not sufficient. We believe the instructions in this article to be an effective mitigation for CCVE-2021-44228 and CVE-2021-45046, but in the best interest of our customers, we must assume this workaround may not adequately address all attack vectors.
We expect to fully address both CVE-2021-44228 and CVE-2021-45046 by updating log4j to version 2.17 in forthcoming releases of vRealize Suite Lifecycle Manager 8.6.2 and software patches for older versions, as outlined by our software support policies. VMSA-2021-0028 will be updated when these releases are available. In the interim, we have updated this Knowledge Base article with revised guidance to remove all JndiLookup classes per Apache Software Foundation guidance. Please subscribe to this article to be informed when updates are published.

VMware vRealize Suite Lifecycle Manager 8.x

Note: Official patches have been released on vRSLCM versions to address the log4j vulnerabilities. It is recommended to install patches to address the vulnerabilities. The patches can be applied independent of whether the steps in the KB were applied earlier or not. The steps in the KB are an interim workaround until the release of the official patches.

For more details on patch please visit the release notes:
8.1.0: VMware-vRealize-Suite-Lifecycle-Manager-81-Patch-2
8.2.0:VMware-vRealize-Suite-Lifecycle-Manager-82-Patch-3
8.3.0:VMware-vRealize-Suite-Lifecycle-Manager-83-Patch-3
8.4.0:VMware-vRealize-Suite-Lifecycle-Manager-84-Patch-1
8.4.1:VMware-vRealize-Suite-Lifecycle-Manager-841-Patch-3
8.6.0:VMware-vRealize-Suite-Lifecycle-Manager-86-Patch-1

Resolution:
The workarounds described in this document are meant to be a temporary solution only.
The official patches mentioned above should be applied to remediate CVE-2021-44228 and CVE-2021-45046

Workaround:
1. Take a snapshot of vRealize Suite Lifecycle Manager appliance
2. Copy the attached log4jfix.sh file to the /tmp directory
3. Log into vRSLCM appliance using root via SSH
4. Change to the /tmp directory
   cd /tmp
5. Run the following command to make the log4jfix.sh script executable:
6. chmod +x log4jfix.sh
7. Run the following command to execute the script:
  ./log4jfix.sh

Note: if you encounter the below error while executing the script rename the old version of vRSLCM SNAPSHOT.jar file and rerun the script./log4jfix.sh: line 4: [: vmlcm-service-8.1.1-SNAPSHOT.jar: binary operator expected
vRSLCM services jar does not exist

Steps to rename:

1.change directory to /var/lib/vrlcm

cd /var/lib/vrlcm
2. Run the below command to rename the file
mv vmlcm-service-8.1.1-SNAPSHOT.jar vmlcm-service-8.1.1-SNAPSHOT_old.jar

 

Steps to verify the fix for CVE-2021-44228 and CVE-2021-45046 -  VMSA-2021-0028 :  

1. Copy the attached vrlcm-log4j-vuln-validate.sh file to the /tmp directory of vRSLCM VM
2. Log into vRSLCM appliance using root via SSH
3. Change to the /tmp directory
   cd /tmp
4. Run the following command to make the vrlcm-log4j-vuln-validate.sh script executable:
   chmod +x vrlcm-log4j-vuln-validate.sh
6. Run the following command to execute the script:
  ./vrlcm-log4j-vuln-validate.sh

If the system has been patched properly then the output shall be like the following :

Validating Log4j vulnerability for vRealize Suite Lifecycle Manager.
Validating vRSLCM services jar.
No impacted jar files found for vRSLCM services.
Validating Blackstone service jar.
No impacted jar files found for Blackstone service.

If the system has not been patched properly then the output shall look like the following:

Validating Log4j vulnerability for vRealize Suite Lifecycle Manager.
Validating vRSLCM services jar.
1 impacted jar(s) found in vrlcm services jar:
/tmp/vrlcm_jar/BOOT-INF/lib/log4j-core-2.8.2.jar
Validating Blackstone service jar.
1 impacted jar(s) in blackstone service jar:
/tmp/blackstone_jar/BOOT-INF/lib/log4j-core-2.8.2.jar

Note: This KB is not applicable if the vRSLCM version is 8.6.1 and PSPAK1 is applied on that. vRSLCM 8.6.1 PSPAK1 has the fix for both the vulnerability

https://www.vmware.com/security/advisories/VMSA-2021-0028.html
https://docs.vmware.com/en/VMware-vRealize-Suite-Lifecycle-Manager/8.6/rn/VMware-vRealize-Suite-Lifecycle-Manager-861-PSPAK-1-Release-Notes.html

Change Log:

• December 12th, 2021 - 9 IST: Drafted initial document with an initial workaround.
• December 13th, 2021 - 3 IST: Added support for 8.1 with new script log4jfix.sh uploaded
• December 16th, 2021 -7:35 IST: Added vrlcm-log4j-vuln-validate.sh file and steps to verify the fix for CVE-2021-44228 - VMSA-2021-0028 
• December 16th, 2021 -10:35 IST: Modified scripting to address the new guidance that the JVM_OPTS workaround is not enough and JndiLookup.class needs to be removed from the classpath.
• December 23rd, 2021 -5:55 IST: Added note of 8.6.1 PSPAK 1 release
• February 10th, 2022 - 4 PM IST: Official patches have been released on vRSLCM versions to address the log4j vulnerabilities