Workaround instructions to address CVE-2021-44228 in VMware Integrated OpenStack 7.0, 7.0.1, and 7.1
search cancel

Workaround instructions to address CVE-2021-44228 in VMware Integrated OpenStack 7.0, 7.0.1, and 7.1

book

Article ID: 321757

calendar_today

Updated On:

Products

VMware VMware Integrated OpenStack

Issue/Introduction

CVE-2021-44228 has been determined to impact VMware Integrated OpenStack 7.0, 7.0.1, and 7.1 via the Apache Log4j open source component it ships. This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:

CVE-2021-44228 - VMSA-2021-0028

Environment

VMware Integrated Openstack 7.x

Resolution

Notice: this knowledge base article has been updated on December 16th, 2021 with a new hotpatch file. If the previous file has been installed please use the uninstall.sh script, and apply the new hotpatch with the same steps.

We should apply the hotpatch attached or upgrade to VMware Integrated OpenStack 7.2. Checksum values for the hotpatch are the following:

  • md5: a53c94e1c9b2e1a0bf980d21c9e71326
  • sha1: 739046886dc3730d4e75e120f4fcdc8904463892

To apply the hotpatch for CVE-2021-44228 to VMware Integrated OpenStack 7.0, 7.0.1, or 7.1 perform the following steps:

  1. Copy the attached vio-patch-CVE-2021-44228.tgz file to the VMware Integrated OpenStack Manager virtual machine.
  2. Extract the files with the command: tar -xvf vio-patch-CVE-2021-44228.tgz
  3. Change into the extracted directory with the command: cd vio-patch-CVE-2021-44228/
  4. Install the hotpatch with the command: ./install.sh

If the hotpatch needs to be uninstalled at any time run this command from the directory: ./uninstall.sh

To verify installation after running the install.sh script:

  1. Check the local images on the manager with the command: docker images |grep javalib
  2. In the output you should see something similar to:
root@vxlan-vm-111-161 [ ~/vio-patch-CVE-2021-44228 ]# docker images |grep javalib
docker-registry.default.svc.cluster.local:5000/vmware/vio/javalib                                              7.1.0.17987093            453ac881448f        18 hours ago        414MB
docker-registry.default.svc.cluster.local:5000/vmware/vio/javalib-bak                                          7.1.0.17987093            d35ebb51b4e6        8 months ago        414MB
  1. In the above output the old image has been backed up as docker-registry.default.svc.cluster.local:5000/vmware/vio/javalib-bak 7.1.0.17987093, and the hotpatched image has been pushed to production as docker-registry.default.svc.cluster.local:5000/vmware/vio/javalib 7.1.0.17987093.
  2. Additional checks can be made within the image itself by running a container, and then checking the log4j library within the container. The command to run the container from the manager would look like: docker run -it docker-registry.default.svc.cluster.local:5000/vmware/vio/javalib:7.1.0.17987093
  3. Further checks could be performed to ensure the image is updated on the registry. The local images could be deleted, and then the image could be pulled from the registry and ran. To delete the image the command would be: docker rmi -f docker-registry.default.svc.cluster.local:5000/vmware/vio/javalib:7.1.0.17987093. To pull the image from the registry the command would be: docker pull docker-registry.default.svc.cluster.local:5000/vmware/vio/javalib:7.1.0.17987093. To run the a container from the image we'd repeat the command from step #4.
  4. Do not delete the backup image.


Additional Information


Change Log:
  • December 16th 2021 18:00 MST: revised hotpatch file uploaded to KB article with a fixed version of log4j 2.16 with .new appended, and additional steps added if previous hotpatch was applied. New file is 227,874 KB in size. Verification steps added.
  • December 17th 2021 06:08 MST: added md5 and sha1 checksum values for the hotpatch.
  • December 21st 2021 09:21 MST: Title changed to cover only impacted versions. Related info was not editable at this time, and could not add to the changelog from earlier.
  • December 22nd 2021 11:55 MST: steps changed, and revised hotpatch from December 16th re-uploaded with .new removed.
  • December 23rd 2021 16:00 MST: making sure it is noted that the permanent fix is in version 7.2.


Impact/Risks:
A malicious actor with network access to an impacted VMware product may exploit this issue to invoke remote code execution. All versions of VMware Integrated OpenStack contain the log4j package to do LDAP validation, which doesn’t provide an endpoint to external access and is only running when user updates LDAP configuration. However, further exploit of the log message lookup feature might be possible.

Attachments

vio-patch-CVE-2021-44228 get_app