How to mitigate Apache log4j on VMware vCenter Appliance
CVE-2021-44228 & CVE-2021-45046 has been determined to impact vCenter Server 7.0.x, vCenter 6.7.x & vCenter 6.5.x via the Apache Log4j open source component it ships.
Currently is no PATCH from VMware site (22.12.2021)
more info about workarounds and patches – VMware VMSA-2021-0028.5 page
Resolution (workaround)
- Download the script attached to this KB (vc_log4j_mitigator.py)
- Login to the vCSA using an SSH Client
- enable the bash shell to VCSA – if not you got error message “Received too large SFTP packet”
- Transfer the file to /tmp folder on vCenter Server Appliance using WinSCP
- Create backup of your VCSA, at least snapshot
- Execute the „python vc_log4j_mitigator.py„
This will stop all vCenter services, updates all necessary files with the formatMsgNoLookups flag, removes the JndiLookup.class from all jar/war files on the appliance, and finally starts all vCenter services. The files that the script modifies will be reported as the script runs. - To verify that no more vulnerable files exist, execute „python vc_log4j_mitigator.py -r“ (-r means dryrun)
- The list of vulnerable files should be zero
IMPORTANT
Upgrading the vCenter Appliance to an unmitigated version will put the environment into a vulnerable state again. Use the vc_log4j_mitigator.py script after upgrading to correct this
UPDATE 1. 2. 2022
VMware vCenter Server 7.0 Update 3c was released, its build 19234570 where Apache log4j is updated to version 2.17 to resolve CVE-2021-44228 and CVE-2021-45046. Please update your VCSA appliance immediately. My best practices is update via VAMI.
Still waiting for update for VCSA 6.5 and 6.7
Is it necessary remove de HA before the execution of the script?
Hi, no its not necessary to disable HA before the execution of the script, because you run the script on the vcsa appliance.