Workaround instructions to address CVE-2021-44228 and CVE-2021-45046 in vRealize Business for Cloud
search cancel

Workaround instructions to address CVE-2021-44228 and CVE-2021-45046 in vRealize Business for Cloud

book

Article ID: 327228

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

CVE-2021-44228 and CVE-2021-45046 has been determined to impact vRealize Business for Cloud via the Apache Log4j open source component it ships.  This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:
CVE-2021-44228 and CVE-2021-45046 – VMSA-2021-0028

Note:Subscribe to this article for latest updates and Keep a track on the "Change Log" information updated in the Related Section below


Environment

VMware vRealize Business for Cloud Standard 7.x
VMware vRealize Business for Cloud Advanced 7.x
VMware vRealize Business for Cloud 7.6.x

Resolution

The workarounds described in this document are meant to be a temporary solution only.
Upgrades documented in the aforementioned advisory should be applied to remediate CVE-2021-44228 and CVE-2021-45046 when available.


Workaround:

*** Before applying the below workaround, please take snapshot of vRBC 7.x virtual appliance ***

To apply the workaround for CVE-2021-44228 and CVE-2021-45046 to vRealize Business for Cloud perform the following steps:

1. SSH to vRBC VA

2. Run below command to list all the jar files which contains vulnerable class JndiLookup.class
    find / -type f -name "*.jar" -exec sh -c "zipinfo -1 {} | grep JndiLookup.class && echo {}" \;

3.  To delete the vulnerable class from jar files, it requires to install zip package in SUSE Linux. This can be installed via zypper command.
    zypper install zip
Sometimes this command fails with following error - Timeout exceeded when accessing 'http://10.163.50.247/build/.0/repo/iso/content'.
If the zypper installation succeeds, please ignore steps 4 and 5.

4. If it fails to install via step 3, kindly download rpm “zip-3.0-2.22.x86_64.rpm” from below repository.
  wget --no-check-certificate https://ftp.lysator.liu.se/pub/opensuse/distribution/leap/15.3/repo/oss/x86_64/zip-3.0-2.22.x86_64.rpm

5. Once rpm is downloaded, run below commands to install the rpm.
           a. cd <rpm location>
     b. rpm -i zip-3.0-2.22.x86_64.rpm

6. Run below command to delete the vulnerable class from the jars resulted from step 2.
    zip -q -d /usr/local/tomcat/shared-lib/log4j-core-2.9.1.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Run the same command for all jars listed.
  zip -q -d /usr/local/tomcat/shared-lib/log4j-core-2.8.2.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  zip -q -d /usr/local/facts-repo/lib/log4j-core-2.9.1.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  zip -q -d /usr/ITFM-Cloud/va-tools/data-migration/lib/log4j-core-2.8.2.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

7. Restart all services.
   monit restart all


Additional Information

To verify the workaround for CVE-2021-44228 and CVE-2021-45046 has been correctly applied to vRealize Business for Cloud perform the following steps:

Run below command to check whether it lists any jar files which contains vulnerable class.
    find / -type f -name "*.jar" -exec sh -c "zipinfo -1 {} | grep JndiLookup.class && echo {}" \;

To revert the workaround for CVE-2021-44228 and CVE-2021-45046 to vRealize Business for Cloud perform the following steps:

Kindly take snapshot of vRBC VA before performing the above workaround steps.

Change Log:
  • December 22nd 2021 - 10:00am PST - Added information about same workaround remediates CVE-2021-45046


Impact/Risks:
No impact.


Powered by Wolken Software