*** Before applying the below workaround, please take snapshot of vRBC 7.x virtual appliance ***
To apply the workaround for CVE-2021-44228 and CVE-2021-45046 to vRealize Business for Cloud perform the following steps:
1. SSH to vRBC VA
2. Run below command to list all the jar files which contains vulnerable class JndiLookup.class
find / -type f -name "*.jar" -exec sh -c "zipinfo -1 {} | grep JndiLookup.class && echo {}" \;
3. To delete the vulnerable class from jar files, it requires to install zip package in SUSE Linux. This can be installed via zypper command.
zypper install zip
Sometimes this command fails with following error - Timeout exceeded when accessing 'http://10.163.50.247/build/.0/repo/iso/content'.
If the zypper installation succeeds, please ignore steps 4 and 5.
4. If it fails to install via step 3, kindly download rpm “zip-3.0-2.22.x86_64.rpm” from below repository.
wget --no-check-certificate https://ftp.lysator.liu.se/pub/opensuse/distribution/leap/15.3/repo/oss/x86_64/zip-3.0-2.22.x86_64.rpm
5. Once rpm is downloaded, run below commands to install the rpm.
a. cd <rpm location>
b. rpm -i zip-3.0-2.22.x86_64.rpm
6. Run below command to delete the vulnerable class from the jars resulted from step 2.
zip -q -d /usr/local/tomcat/shared-lib/log4j-core-2.9.1.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Run the same command for all jars listed.
zip -q -d /usr/local/tomcat/shared-lib/log4j-core-2.8.2.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
zip -q -d /usr/local/facts-repo/lib/log4j-core-2.9.1.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
zip -q -d /usr/ITFM-Cloud/va-tools/data-migration/lib/log4j-core-2.8.2.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
7. Restart all services.
monit restart all