Steps mentioned in this article are taken from VMware's KB article: 87097 . The only difference is that this blog has screenshots which would be helpful while implementing the patch
I've documented these steps with screenshots and outputs in this PDF too. Click to download and see detailed outputs which would be available when workaround is implemented
NOTE:
If you have deployed vRSLCM on earlier releases of 8.x that's 8.0 or 8.1 then there is a chance that we have a left over file with the name " vmlcm-service-8.1.x-SNAPSHOT.jar " or " vmlcm-service-8.0.x-SNAPSHOT.jar " then the workaround will fail with the message " vRSLCM services jar does not exist "
To fix this issue , move this old file to a different location and then execute the script
The structure of the folder would always be like below. The one vmlcm-service-8.6.0-SNAPSHOT.jar indicates that this is the current file the service uses. It has version indicator too.
Remember , the workaround works only for version vRSLCM 8.2 onwards....
Details
CVE-2021-44228 has been determined to impact vRealize Suite Lifecycle Manager 8.2.0 - 8.6.x via the Apache Log4j open source component it ships. This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing.
CVE-2021-44228 - VMSA-2021-0028
Resolution
The workarounds described in this document are meant to be a temporary solution only.
Upgrades documented in the aforementioned advisory should be applied to remediate CVE-2021-44228 when available.
Workaround
Step:1
Take a snapshot of vRealize Suite Lifecycle Manager appliance as shown below. Once can take snapshot from vCenter UI too
Step:2
Download and Copy the attached log4jfix.sh file from VMware's KB article: 87097 to the /tmp directory of vRSLCM appliance
Step:3
Change to the /tmp directory
cd /tmp
Run the following command to make the log4jfix.sh script executable:
chmod +x log4jfix.sh
Step:4
Then execute the script as shown below
* indicates there are other lines in between. Detailed output is present in the PDF document attached
root@lcm [ /tmp ]# ./log4jfix.sh
Get the version of jar
vRSLCM version: 860
Blackstone version: 861
Archive: vmlcm-service-8.6.0-SNAPSHOT.jar
creating: META-INF/
inflating: META-INF/MANIFEST.MF
creating: org/
creating: org/springframework/
creating: org/springframework/boot/
creating: org/springframework/boot/loader/
inflating: org/springframework/boot/loader/Launcher.class
inflating: org/springframework/boot/loader/JarLauncher.class
creating: org/springframework/boot/loader/archive/
inflating: org/springframework/boot/loader/archive/JarFileArchive$JarFileEntry.class
creating: org/springframework/boot/loader/data/
*
*
*
extracting: BOOT-INF/lib/spring-plugin-core-1.2.0.RELEASE.jar
extracting: BOOT-INF/lib/spring-plugin-metadata-1.2.0.RELEASE.jar
extracting: BOOT-INF/lib/mapstruct-1.2.0.Final.jar
extracting: BOOT-INF/lib/springfox-swagger-ui-2.9.2.jar
updating: BOOT-INF/classes/log4j2.xml
zip warning: Local Entry CRC does not match CD: BOOT-INF/classes/log4j2.xml
(deflated 60%)
test of vmlcm-service-8.6.0-SNAPSHOT.jar OK
Zip action: 0
Waiting for vRLCM services to start.
Waiting for vRLCM services to start.
Waiting for vRLCM services to start.
Waiting for vRLCM services to start.
Waiting for vRLCM services to start.
Waiting for vRLCM services to start.
Waiting for vRLCM services to start.
Waiting for vRLCM services to start.
Waiting for vRLCM services to start.
Waiting for vRLCM services to start.
Archive: blackstone-external-8.6.1.jar
creating: META-INF/
inflating: META-INF/MANIFEST.MF
creating: org/
creating: org/springframework/
creating: org/springframework/boot/
creating: org/springframework/boot/loader/
inflating: org/springframework/boot/loader/Launcher.class
inflating: org/springframework/boot/loader/JarLauncher.class
*
*
*
extracting: BOOT-INF/lib/springfox-swagger-ui-2.9.2.jar
extracting: BOOT-INF/lib/log4j-core-2.8.2.jar
extracting: BOOT-INF/lib/log4j-api-2.8.2.jar
updating: BOOT-INF/classes/log4j2.xml
zip warning: Local Entry CRC does not match CD: BOOT-INF/classes/log4j2.xml
(deflated 61%)
test of blackstone-external-8.6.1.jar OK
Zip action: 0
Waiting for Blackstone services to start.
Waiting for Blackstone services to start.
Waiting for Blackstone services to start.
Waiting for Blackstone services to start.
The script is now implemented. It will approximately take 5 to 8 minutes to complete
Comments