Notice: On December 14, 2021 the Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 workarounds was not sufficient. We believe the instructions in this article to be an effective mitigation for CVE-2021-44228, but in the best interest of our customers we must assume this workaround may not adequately address all attack vectors. 
We expect to fully address both CVE-2021-44228 and CVE-2021-45046 by updating log4j to version 2.16 in forthcoming releases of VMware Site Recovery Manager and vSphere Replication, as outlined by our software support policies. This Knowledge Base article and VMSA-2021-0028 will be updated when these releases are available. Please subscribe to this article to be informed when updates are published. 

CVE-2021-44228 has been determined to impact Site Recovery Manager and vSphere Replication via the Apache Log4j open source component it ships.  This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:

• CVE-2021-44228 - VMSA-2021-0028

You can validate exposure on a replication/site recovery appliance by running the following command from a shell as the root user:
grep -R 'JndiLookup.class' /opt/vmware/
grep -R 'JndiLookup.class' /var/opt/apache-tomcat/
If the mitigation has been successfully applied these command will not return results.

Verify the environment variables have been properly set (all in one line):
for pid in $( ps ax  | grep java | grep -v grep | awk '{print $1}' ); do cat /proc/$pid/environ |tr '\0' '\n' | grep "LOG4J_FORMAT_MSG_NO_LOOKUPS"; done
Note: expected output multiple lines of  "LOG4J_FORMAT_MSG_NO_LOOKUPS=true"

Highlighted sections indicate the most recent updates. See the Change log at the end of this article for all changes.

This issue is resolved in the following release; Site Recovery Manager 8.3.1.5, 8.4.0.4  and 8.5.0.2 and vSphere Replication 8.3.1.5, 8.4.0.4 and 8.5.0.2. VMware recommends patching to these versions over applying the workarounds detailed in this KB.


The workarounds described in this document are meant to be a temporary solution only. Issue mitigation is currently achieved by removal of the vulnerable code. There is no functional impact to this workaround as these products do not leverage the vulnerable  "JndiLookup.class".
Upgrades documented in the aforementioned advisory should be applied to remediate CVE-2021-44228 when available.

Workaround:

Site Recovery has the following appliances - SRM, VR and VRS. In order to mitigate this vulnerability, you must apply the following mitigation in each solution in your environment:

Site Recovery Manager Appliance
Site Recovery Manager Windows (SRM 8.3.x Windows versions)

vSphere Replication Management Server Appliance
vSphere Replication Server (Add-on VR server) Appliance

While the SRM and VR Plugins for vRealize Orchestrator (VRO) are not directly impacted by this issue, the VRO appliance is impacted. Please see https://kb.vmware.com/s/article/87120 and https://kb.vmware.com/s/article/87122 for further details on the workarounds available for VRO appliance mitigation.

Change log:
December 17th 2021 - 11:24PST: Updated guidance to indicate patched version availability
December 16th 2021 - 14:47 PST: Added guidance for VMC on AWS on-prem customer appliances
December 16th 2021 - 11:20 PST: Added steps required to verify environment flag for appliance. 
December 15th 2021 - 10:43 PST: Added guidance message.
December 15th 2021 - 06:43 PST: Added additional verification step for tomcat path.

Impact/Risks:
This issue impacts all releases prior to Site Recovery Manager 8.3.1.5, 8.4.0.4 and 8.5.0.2 and vSphere Replication 8.3.1.5, 8.4.0.4 and 8.5.0.2.

Note: VMware automatically manages VMware Site Recovery (VSR) components which are deployed in a customer's SDDC in VMware Cloud on AWS.  Customers are responsible for managing their on-prem SRM and vSphere Replication appliances and should review these KB articles to determine if their on-prem appliances are affected.