Notice: On December 14, 2021 the Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 workarounds was not sufficient. We believe the instructions in this article to be an effective mitigation for CVE-2021-44228, but in the best interest of our customers we must assume this workaround may not adequately address all attack vectors. 
We expect to fully address both CVE-2021-44228 and CVE-2021-45046 by updating log4j to version 2.16 in forthcoming releases of VMware vRealize Network Insight, as outlined by our software support policies. VMSA-2021-0028 will be updated when these releases are available. In the interim, we will be updating this Knowledge Base article with revised guidance to remove all JndiLookup classes and disabling all lookups with JVM property settings “log4j2.formatMsgNoLookups=true” as per VMware Security Response Center guidance. Please subscribe to this article to be informed when updates are published.

CVE-2021-44228 can possibly impact vRNI installations via the usage of ElasticSearch which bundles the impacted log4j version (2.11).  This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:

• CVE-2021-44228 -VMSA-2021-0028
•  CVE-2021-45046   

Highlighted sections indicate the most recent updates. See the Change log at the end of this article for all changes and subscribe the article for updates.

The workarounds described in this document are meant to be a temporary solution only.
To mitigate the vulnerability for the vRealize Network Insight version  6.0.0 and  6.1.0 refer to the workaround section of this VMware Knowledge Base Article.

To mitigate the vulnerability patches are available for vRealize Network Insight version 5.30, 6.2.0, 6.3.0, and 6.4.0 for now. Please refer to VMware Knowledge Base Article: https://kb.vmware.com/s/article/87268


Upgrades documented in the aforementioned advisory should be applied to remediate CVE-2021-44228/CVE-2021-45046 when available.

Below mentioned steps are applicable to VMware vRealize Network Insight 6.0.0 and 6.1.0

To mitigate the vulnerability, perform the following steps on all Collectors and Platform Node(s).

Notes:

i) In the case of the Platform cluster, an SSH port must be open between Platform nodes. Execute it on any one Platform in case of cluster and other nodes will be automatically patched.
ii) It is recommended to run this new script even if the previous script has been already run for all the collectors and platform appliances.
iii) Running the new script vRNI_log4j_fix.sh will take some time as it will check for additional components on the vRNI Appliances that may be vulnerable, apply the fix and restart services.
iv) Post running the script on existing vRNI appliances, if you plan to create a new vRNI platform cluster/expand the existing platform cluster or add any new collector appliances then you would need to run this script on all the newly added vRNI appliance Nodes.

Steps are the same for single node platform deployments and clustered deployments

1. Download the attached script, with file name vRNI_log4j_fix.sh locally. (see attachment section)

2. Using WinSCP or some such tool SCP the attached file/script to Platform node (any one Platform in case of cluster) and all Collector nodes. Use "support" user credentials to SCP. The file will be copied in "/home/support" location.

3. SSH to same Platform/Collector where the file was copied as "support" user.

4. Run "sha1sum vRNI_log4j_fix.sh" and it should show "87c0ace85cb524401dfee875a71b7629cefb11f1"
    Example:
    support@vrni-proxy-release:~$ sha1sum vRNI_log4j_fix.sh 
  87c0ace85cb524401dfee875a71b7629cefb11f1  vRNI_log4j_fix.sh 
  support@vrni-proxy-release:~$

5.  Run “screen” to be safe against session disconnect.  

6.  Run “sudo bash vRNI_log4j_fix.sh”

 Validation: Run the script again same as above and now it should show lines like:

“Affected jars: []”

“No change, skipping service restart”