Workaround instructions to address CVE-2021-44228 in Cloud Director Object Storage Extension
Article ID: 319848
Updated On:
Products
VMware Cloud Director
Issue/Introduction
CVE-2021-44228 has been determined to impact VMware Cloud Director Object Storage Extension via the Apache Log4j open source component it ships. This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:
- CVE-2021-44228 – VMSA-2021-0028
Environment
VMware Cloud Director 10.x
Resolution
The workarounds described in this document are meant to be a temporary solution only.
Upgrades are already available to remediate CVE-2021-44228.
Workaround:
1. Login as ssh user, sudo to root
2. Edit file /usr/lib/systemd/system/voss-vip.service
3. In the line starting with text ExecStart, insert parameter -Dlog4j2.formatMsgNoLookups=true between java and -Xms1024m. The updated line is like this:
ExecStart=/bin/sh -c 'java -Dlog4j2.formatMsgNoLookups=true -Xms1024m -Xmx1024m -jar /opt/vmware/vip/voss-vip.jar \
--server.scheme=http \
--server.address=127.0.0.1 \
--swagger-ui.enable=false \
--source.cache.flag=false \
--vipservice.cross.domain.enable=false \
--vipservice.cross.domain.allowCredentials=false \
-clean '
4. Run systemctl daemon-reload
5. Run systemctl restart voss-vip
6. Run systemctl status voss-vip. Check the parameter is inserted successfully from the output.
Main PID: pid (java)
CGroup: /system.slice/voss-vip.service
└─pid java -Dlog4j2.formatMsgNoLookups=true -Xms1024m -Xmx1024m -jar /opt/vmware/vip/voss-vip.jar --server.scheme=http --server.address=127.0.0....
Upgrades are already available to remediate CVE-2021-44228.
Workaround:
1. Login as ssh user, sudo to root
2. Edit file /usr/lib/systemd/system/voss-vip.service
3. In the line starting with text ExecStart, insert parameter -Dlog4j2.formatMsgNoLookups=true between java and -Xms1024m. The updated line is like this:
ExecStart=/bin/sh -c 'java -Dlog4j2.formatMsgNoLookups=true -Xms1024m -Xmx1024m -jar /opt/vmware/vip/voss-vip.jar \
--server.scheme=http \
--server.address=127.0.0.1 \
--swagger-ui.enable=false \
--source.cache.flag=false \
--vipservice.cross.domain.enable=false \
--vipservice.cross.domain.allowCredentials=false \
-clean '
4. Run systemctl daemon-reload
5. Run systemctl restart voss-vip
6. Run systemctl status voss-vip. Check the parameter is inserted successfully from the output.
Main PID: pid (java)
CGroup: /system.slice/voss-vip.service
└─pid java -Dlog4j2.formatMsgNoLookups=true -Xms1024m -Xmx1024m -jar /opt/vmware/vip/voss-vip.jar --server.scheme=http --server.address=127.0.0....
Additional Information
Impact/Risks:
Object Storage Extension service itself is not impacted by this vulnerability directly, but it has an internal component depending on log4j.
The work arounds described in this document are applicable to the following versions:
-
VMware Cloud Director Object Storage Extension 1.X
-
VMware Cloud Director Object Storage Extension 2.X
Feedback
Yes
No
Powered by
