Implementing workaround to remediate CVE-2021-44228 for vRealize LogInsight 8.2 - 8.6 versions

Here's the PDF document of the same instructions

Note: The content of this blog is same as in KB: 87089 but with screenshots and expected outputs to make things easier

Purpose

• CVE-2021-44228 has been determined to be present in vRealize Log Insight 8.2 - 8.6 via the Apache Log4j open source component it ships

• This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing: CVE-2021-44228 - VMSA-2021-0028

Resolution

• The workarounds described in this document are meant to be a temporary solution only.

• Upgrades documented in the aforementioned advisory should be applied to remediate CVE-2021-44228 when available

Workaround

• To apply the workaround for CVE-2021-44228 to vRealize Log Insight, perform the following steps:

For each vRealize Log Insight node:

step:1

Download and Copy the li-log4j-fix.sh script or file to /tmp directory

step:2

SSH to the node or use Console by pressing Alt+F1 and login as root and then change or browse to /tmp where the script has been copied

cd /tmp

step:3

List the files to see li-log4j-fix.sh script present

step:4

Run below command to make this executable

chmod +x /tmp/li-log4j-fix.sh

Once executed , you would see that the permissions of the file change

step:5

Next step is to EXECUTE the script

root@li [ /tmp ]# ./li-log4j-fix.sh 

Hardening Log Insight appliance against CVE-2021-44228. For more information refer to: https://www.tenable.com/cve/CVE-2021-44228. 

Patching Log Insight Java options: /etc/default/loginsight... SUCCESS 
Patching Cassandra Java options: /usr/lib/loginsight/application/lib/apache-cassandra-*/conf/jvm.options... SUCCESS 
Patching Tomcat Java options: /usr/lib/loginsight/application/3rd_party/apache-tomcat-*/bin/catalina.sh... SUCCESS 

ATTENTION: Please restart Log Insight service for the patch to take effect.

step:6

Once done perform a LogInsight service restart

service loginsight restart 

Wait for few seconds till vRealize LogInsight is fully up

NOTE:

• Since i have a standalone node for vRealize LogInsight , there was no need for me to upload and implement patch on other nodes. if there are multiple nodes in your environment then these steps have to be followed on each node one after another

• Ensure the LogInsight services are completely up and running before proceeding to the next server

Validation

• To verify the workaround for CVE-2021-44228 has been correctly applied to vRealize Log Insight, perform the following steps:

  1. Log into each node as root via SSH or Console, pressing ALT+F1 in a Console to log in

  2. Run the following command to verify if the workaround was successful:

ps axf | grep --color log4j2.formatMsgNoLookups | grep -v grep

Note: There should be a output from the above command.

If there was no output on any particular node(s), that node(s) was not successfully modified

Re-run the script on that node(s) following the instructions above