VMware Smart Assurance: Workaround instructions to address CVE-2021-44228 vulnerability in Network Configuration Manager 10.1.6.0
Article ID: 315715
Updated On:
Products
Issue/Introduction
CVE-2021-44228 has been determined to impact VMware Smart Assurance Network Configuration Manager 10.1.6.0 due to the Apache Log4j open source component it ships. This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), review this document before continuing:
- CVE-2021-44228 - VMSA-2021-0028
Symptoms:
Notice: On December 14, 2021 the Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 workarounds was not sufficient. We believe the instructions in this article to be an effective mitigation for CVE-2021-44228, but in the best interest of our customers we must assume this workaround may not adequately address all attack vectors.
We expect to fully address both CVE-2021-44228 and CVE-2021-45046 by updating log4j to version 2.16 in forthcoming releases of “VMware Smart Assurance Network Configuration Manager”, as outlined by our software support policies. VMSA-2021-0028 will be updated when these releases are available. In the interim, we have updated this Knowledge Base article with revised guidance to remove all JndiLookup classes per Apache Software Foundation guidance. Please subscribe to this article to be informed when updates are published.
Environment
Resolution
Please upgrade to 10.1.6.1 Patch as this release includes the log4j 2.17.1 that resolves the issue noted in CVE-2021-44228
Please reference to the 10.1.6.1 release notes.
https://docs.vmware.com/en/VMware-Smart-Assurance/10.1.6.1/rn/VMware-Smart-Assurance-NCM-10161-GA-Patch-Release-Notes.html
Workaround:
The manual work around has been removed, now that the 10.1.6.1 Patch has been released.
Additional Information
Notes:
As per the details of the CVE-2021-44228, applications using log4j-core and including user input in log messages are vulnerable. Prior to 10.1.6 version, NCM was using log4j-api and log4j-to-slf4j for logging, thus NCM versions prior to 10.1.6 (i.e 9.6, 9.6.1, 10.1, 10.1.1, 10.1.3, 10.1.4) are not vulnerable to this vulnerability and only 10.1.6 stands vulnerable.Change Log:
- 14-December-2021 : Created KB article to remediate log4j vulnerability (CVE : CVE-2021-44228) for VMware Smart Assurance NCM 10.1.5. The remediation is to set the system property "-Dlog4j2.formatMsgNoLookups=true" .
- 15-December-2021 : Updated steps to remove "JndiLookup.class" from the log4j-core-*.jar present at all the places.
- 15-December-2021 : Updated steps to set the system property present at all the places.
- 16-December-2021 : Updated steps to restore original ownership of log4j-core-2.14.1.jar from steps 8-21 and requirement of systemctl daemon-reload command for process reload.
- 17-December-2021: Updated steps to delete the JndiLookup.class from an un-used war file present in ncm-msa directory, which has log4j-core jar file.
- 10-February-2020 Updated KB to reflect that the resolution is to upgrade to the NCM 10.1.6.1 Patch
Impact/Risks:
An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. However, there are different layers of protection in VMware Smart Assurance Network Configuration Manager that will make exploiting CVE-2021-44228 difficult.
Feedback
