Notice: this knowledge base article has been updated on December 16th, 2021 with a new hotpatch file. If the previous file has been installed please use the uninstall.sh script, and apply the new hotpatch with the same steps.
We should apply the hotpatch attached or upgrade to VMware Integrated OpenStack 7.2. Checksum values for the hotpatch are the following:
- md5: a53c94e1c9b2e1a0bf980d21c9e71326
- sha1: 739046886dc3730d4e75e120f4fcdc8904463892
To apply the hotpatch for CVE-2021-44228 to VMware Integrated OpenStack 7.0, 7.0.1, or 7.1 perform the following steps:
- Copy the attached vio-patch-CVE-2021-44228.tgz file to the VMware Integrated OpenStack Manager virtual machine.
- Extract the files with the command: tar -xvf vio-patch-CVE-2021-44228.tgz
- Change into the extracted directory with the command: cd vio-patch-CVE-2021-44228/
- Install the hotpatch with the command: ./install.sh
If the hotpatch needs to be uninstalled at any time run this command from the directory: ./uninstall.sh
To verify installation after running the install.sh script:
- Check the local images on the manager with the command: docker images |grep javalib
- In the output you should see something similar to:
root@vxlan-vm-111-161 [ ~/vio-patch-CVE-2021-44228 ]# docker images |grep javalib
docker-registry.default.svc.cluster.local:5000/vmware/vio/javalib 7.1.0.17987093 453ac881448f 18 hours ago 414MB
docker-registry.default.svc.cluster.local:5000/vmware/vio/javalib-bak 7.1.0.17987093 d35ebb51b4e6 8 months ago 414MB
- In the above output the old image has been backed up as docker-registry.default.svc.cluster.local:5000/vmware/vio/javalib-bak 7.1.0.17987093, and the hotpatched image has been pushed to production as docker-registry.default.svc.cluster.local:5000/vmware/vio/javalib 7.1.0.17987093.
- Additional checks can be made within the image itself by running a container, and then checking the log4j library within the container. The command to run the container from the manager would look like: docker run -it docker-registry.default.svc.cluster.local:5000/vmware/vio/javalib:7.1.0.17987093
- Further checks could be performed to ensure the image is updated on the registry. The local images could be deleted, and then the image could be pulled from the registry and ran. To delete the image the command would be: docker rmi -f docker-registry.default.svc.cluster.local:5000/vmware/vio/javalib:7.1.0.17987093. To pull the image from the registry the command would be: docker pull docker-registry.default.svc.cluster.local:5000/vmware/vio/javalib:7.1.0.17987093. To run the a container from the image we'd repeat the command from step #4.
- Do not delete the backup image.