VMware Telco Cloud Operations: Instructions to address CVE-2021-44228 in Telco Cloud Operations 1.4
Article ID: 345118
Updated On:
Products
VMware
VMware Telco Cloud Operations
Issue/Introduction
CVE-2021-44228 has been determined to impact VMware Telco Cloud Operations 1.4 due to the Apache Log4j open source component it ships.
Symptoms:
Notice: On December 14, 2021 the Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 workarounds was not sufficient. We believe the instructions in this article to be an effective mitigation for CVE-2021-44228, but in the best interest of our customers we must assume this workaround may not adequately address all attack vectors.
We expect to fully address both CVE-2021-44228 and CVE-2021-45046 by updating log4j to version 2.16 in forthcoming releases of “VMware Telco Cloud Operations”, as outlined by our software support policies. VMSA-2021-0028 will be updated when these releases are available. In the interim, we have updated this Knowledge Base article with revised guidance to remove all JndiLookup classes per Apache Software Foundation guidance. Please subscribe to this article to be informed when updates are published.
Symptoms:
Notice: On December 14, 2021 the Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 workarounds was not sufficient. We believe the instructions in this article to be an effective mitigation for CVE-2021-44228, but in the best interest of our customers we must assume this workaround may not adequately address all attack vectors.
We expect to fully address both CVE-2021-44228 and CVE-2021-45046 by updating log4j to version 2.16 in forthcoming releases of “VMware Telco Cloud Operations”, as outlined by our software support policies. VMSA-2021-0028 will be updated when these releases are available. In the interim, we have updated this Knowledge Base article with revised guidance to remove all JndiLookup classes per Apache Software Foundation guidance. Please subscribe to this article to be informed when updates are published.
Environment
VMware Telco Cloud Operations 1.x
Resolution
1. The following container Services of VMware Telco Cloud Operations 1.4 include a vulnerable log4j version under CVE-2021-44228
a. NotificationService
b. Apiservice
However, the vulnerability is not exploitable, since they are Spring Boot applications that don't override the default logger; see https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
2. ElasticSearch Container Service uses a vulnerable Log4j version but this is also not exploitable as per Advisory
3. A patch has been released under Telco Cloud Operations 1.4.0.1. The following container services have upgraded the log4j-core component to version 2.16.
a. Omega-alerting
b. omega-enrichment
c. omega-streaming
d. k4m-rest
e. TopologyService
f. MetricService
The Release Notes for the patch release is published under https://docs.vmware.com/en/VMware-Telco-Cloud-Operations/1.4.0.1/rn/VMware-Telco-Cloud-Operations-1401-Release-Note.html
a. NotificationService
b. Apiservice
However, the vulnerability is not exploitable, since they are Spring Boot applications that don't override the default logger; see https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
2. ElasticSearch Container Service uses a vulnerable Log4j version but this is also not exploitable as per Advisory
3. A patch has been released under Telco Cloud Operations 1.4.0.1. The following container services have upgraded the log4j-core component to version 2.16.
a. Omega-alerting
b. omega-enrichment
c. omega-streaming
d. k4m-rest
e. TopologyService
f. MetricService
The Release Notes for the patch release is published under https://docs.vmware.com/en/VMware-Telco-Cloud-Operations/1.4.0.1/rn/VMware-Telco-Cloud-Operations-1401-Release-Note.html
Additional Information
Change Log:
Impact/Risks:
- 22-December-2021 : Resolution section has been updated with patch release information.
Impact/Risks:
An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. However, there are different layers of protection in VMware Telco Cloud Operations will make exploiting CVE-2021-44228 difficult.
This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), review this document before continuing:
- CVE-2021-44228 - VMSA-2021-0028
Feedback
Yes
No
Powered by
