CVE-2021-44228 & CVE-2021-45046 has been determined to potentially impact VMware NSX Data Center for vSphere via the Apache Log4js open-source component it ships. This vulnerability and its impact on VMware products is documented in the following VMware Security Advisory (VMSA), please review this document before continuing:
Pre-check
Make sure the script is not already executed on set up. Please check folder '/home/secureall/secureall/' and check presence of files '.log4j2-patched'. If file is present , then script is already executed on set up. Please do following steps in that case :
To apply the workaround for CVE-2021-44228 & CVE-2021-45046 perform the following steps in your NSX-V environment:
1. Take a backup of your NSX-V Manager.
Follow guidance found here, if necessary: https://docs.vmware.com/en/VMware-NSX-Data-Center-for-vSphere/6.4/com.vmware.nsx.upgrade.doc/GUID-<UUID>.html
OR
Alternatively, take a "cold clone" of your NSX-V Manager, prior to applying the workaround.
Steps:
1. Shutdown your existing NSX-V Manager.
2. Clone the NSX-V Manager to a VM with a different name, indicating that it is a clone of the original NSX-V Manager.
3. Power on your original NSX-V Manager.
4. Do NOT power on the clone NSX-V Manager, unless needed for rollback.
2. Download the following file from the attachment section of this KB article: signed_bsh_fix_log4j.encoded
3. Run the following REST API POST call using either Option A or Option B as described below.
Option A: POSTMAN
Authentication: Basic Auth (Username: admin)
Headers: Content-Type - application/xml
Body: Select 'Binary' as body type and attach the file signed_bsh_fix_log4j.encoded
Sample screenshots:
Option B: Curl command for Linux
curl --verbose --noproxy '*' -u admin -H "Content-Type: application/xml" -k -X POST "https://<NSX-Manager-IP>/api/1.0/services/debug/script" --data @/tmp/signed_bsh_fix_log4j.encoded
NOTES:
Please ensure above POST call returns HTTP Status 200 OK before proceeding.
4. Reboot the NSX-V Manager.
To verify the workaround for CVE-2021-44228 has been correctly applied to VMware NSX-V Manager perform the following steps:
Once the system has rebooted, SSH to the NSX-V Manager and elevate to root prompt (see KB 2149630 ) and invoke the tcpdump command:
tcpdump -i lo -s 1500 -XX port 389
Steps to login at the root level are:
SSH into the NSX V Manager as 'admin'
Type 'en' and provide the 'privileged mode' password.
HINT: Often, this is the same as your admin password, yet it is customer set.
Type 'st en' once in the privileged mode, and provide the root password:
Type 'y' when prompted.
Provide the password: IAmOnThePhoneWithTechSupport
Expected Response:
[root@nsx-v-manager ~]# tcpdump -i lo -s 1500 -XX port 389
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lo, link-type EN10MB (Ethernet), snapshot length 1500 bytes
While the tcpdump packet capture is running, send following REST API :
URL : POST https://<NSX-Manager-IP>/api/2.0/services/securitygroup/globalroot-0
Authentication: Basic Auth (Username: admin)
Headers: Content-Type - application/xml
Body:
<securitygroup>
<name>${jndi:ldap://127.0.0.1/e}</name>
</securitygroup>
Example Screenshot:
If the patch has been applied correctly, there will be no tcpdump output.
If the patch has not been applied correctly, you will see the following output in the tcpdump packet capture:
10:31:50.349103 IP localhost.43162 > localhost.ldap: Flags [S], seq 4118243761, win 43690, options [mss 65495,nop,nop,sackOK,nop,wscale 7], length 0
0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.
0x0010: 0034 313f 4000 4006 0b83 7f00 0001 7f00 .41?@.@.........
0x0020: 0001 a89a 0185 f577 69b1 0000 0000 8002 .......wi.......
0x0030: aaaa fe28 0000 0204 ffd7 0101 0402 0103 ...(............
0x0040: 0307 ..
10:31:50.349118 IP localhost.ldap > localhost.43162: Flags [R.], seq 0, ack 4118243762, win 0, length 0
0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.
0x0010: 0028 0000 4000 4006 3cce 7f00 0001 7f00 .(..@.@.<.......
0x0020: 0001 0185 a89a 0000 0000 f577 69b2 5014 ...........wi.P.
0x0030: 0000 a884 0000 ......
10:31:50.353257 IP localhost.43164 > localhost.ldap: Flags [S], seq 2371466404, win 43690, options [mss 65495,nop,nop,sackOK,nop,wscale 7], length 0
0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.
To revert the workaround for CVE-2021-44228 to VMware NSX Data Center perform the following steps on each NSX-V Manager:
Restore to the backup of your NSX-V Manager that you took, prior to applying the workaround detailed above.
Follow guidance found here, if necessary: https://docs.vmware.com/en/VMware-NSX-Data-Center-for-vSphere/6.4/com.vmware.nsx.upgrade.doc/GUID-B22A6600-0E65-4765-AC4E-A9D20FC57D1D.html
OR
Alternatively, if a "cold clone" was taken, follow the steps below:
1. Shut down the original NSX-V Manager, which you wish to roll back from.
2. Power on the cloned NSX-V Manager, which you wish to roll back to.
A malicious actor with network access to an impacted VMware product may exploit this issue to invoke remote code execution.
All versions of NSX-V Data Center for vSphere contain the log4js and require this workaround.
Note: NSX-V Edge Service Gateways, NSX-V Controllers, and NSX-V Guest Introspection VM's are not affected by this issue.
Note: If the below workaround is applied to an NSX-V Manager, and that NSX-V Manager is subsequently upgraded to a newer vulnerable version of NSX-V, the workaround must be re-applied post upgrade.
Note: This workaround will have to be re-applied on the post-restore NSX-V Manager if an environment is restored from backup.