Log4j patch for vRealize Automation 7.6 and vRealize Orchestrator 7.6 (KB87121)

Hi!

Over the past few days a critical vulnerability has been identified in the Apache Log4j module and lots of applications over the world are affected by this. 

The latest information regarding VMware Products which have been affected by this vulnerability can be found here:

For VMware vRealize Lifecycle Manager 8.x – Please check on our previous blog here.

For VMware Identity Manager 3.3.3 – 3.3.5 -Please check on our previous blog here.

For VMware vRealize Automation 8.x – Please check on our previous blog here.

For VMware vRealize Automation 7.6 and vRealize Orchestrator 7.6 VMware provides a workaround . See the KB below:

VMware has stated that a final solution will be released according to upgrades documented in the afore mentioned advisory should be applied to remediate CVE-2021-44228 when available.

Meanwhile, the workaround is done via manual process below:

1 Take simultaneous VM snapshots without memory of all nodes in the cluster.

2 – SSH login or virtual machine into EACH ONE of the nodes in the vRA / vRO cluster.

3 – Run the following command ON EACH  of the vRA or vRO cluster nodes

3 – A ) Stop the vco-configurator service

service vco-configurator stop

3 – B) – Append the Dlog4j2.formatMsgNoLookups=true java option for log4j versions >=2.10 and delete JndiLooup.class for log4j versions >=2.0 and < 2.10 by executing the following command

base64 -d <<< "ZWNobyAiJChhd2sgJ0ZOUj09TlJ7IGlmICgvXkpWTV9PUFRTPS8pIHA9TlI7IG5leHR9IDE7IEZOUj09cHsgcHJpbnQgIkpWTV9PUFRTPVwiJEpWTV9PUFRTIC1EbG9nNGoyLmZvcm1hdE1zZ05vTG9va3Vwcz10cnVlXCIiIH0nIC91c3IvbGliL3Zjby9jb25maWd1cmF0aW9uL2Jpbi9zZXRlbnYuc2ggL3Vzci9saWIvdmNvL2NvbmZpZ3VyYXRpb24vYmluL3NldGVudi5zaCkiID4gL3Vzci9saWIvdmNvL2NvbmZpZ3VyYXRpb24vYmluL3NldGVudi5zaAoKZWNobyAiJChhd2sgJ0ZOUj09TlJ7IGlmICgvXkpWTV9PUFRTPS8pIHA9TlI7IG5leHR9IDE7IEZOUj09cHsgcHJpbnQgIkpWTV9PUFRTPVwiJEpWTV9PUFRTIC1EbG9nNGoyLmZvcm1hdE1zZ05vTG9va3Vwcz10cnVlXCIiIH0nIC91c3IvbGliL3Zjby9hcHAtc2VydmVyL2Jpbi9zZXRlbnYuc2ggL3Vzci9saWIvdmNvL2FwcC1zZXJ2ZXIvYmluL3NldGVudi5zaCkiID4gL3Vzci9saWIvdmNvL2FwcC1zZXJ2ZXIvYmluL3NldGVudi5zaAoKZWNobyAiJChhd2sgJ0ZOUj09TlJ7IGlmICgvXlx0K1JFVFZBTD1cJC8pIHA9TlI7IG5leHR9IDE7IEZOUj09cHsgcHJpbnQgImJhc2U2NCAtZCA8PDxcIkl5RXZZbWx1TDJKaGMyZ0taV05vYnlBblYyRnBkR2x1WnlCbWIzSWdkbEpQSUhObGNuWmxjaUJ6WlhKMmFXTmxJSFJ2SUhOMFlYSjBMaTR1SndwbWIzSWdhU0JwYmlCN01TNHVNVEl3ZlFwa2J3b2dJQ0J6ZEdGMGRYTmZZMjlrWlQxZ1kzVnliQ0F0YXlBdExXeHZZMkYwYVc5dUlDMHRiV0Y0TFhScGJXVWdNekFnTFc4Z0wyUmxkaTl1ZFd4c0lDMXpJQzEzSUNJbGUyaDBkSEJmWTI5a1pYMWNiaUlnSjJoMGRIQTZMeTlzYjJOaGJHaHZjM1E2T0RJNE1DOTJZMjh2WVhCcEwyaGxZV3gwYUhOMFlYUjFjeWRnQ2lBZ0lGdGJJQ0lrZTNOMFlYUjFjMTlqYjJSbGZTSWdQVDBnSWpJaUtpQmRYU0FtSmlCaWNtVmhhd29nSUNCbFkyaHZJQ0oyVWs4Z2MyVnlkbVZ5SUhObGNuWnBZMlVnYVhNZ2MzUnBiR3dnYzNSaGNuUnBibWN1TGk0aUNpQWdJSE5zWldWd0lEVUtaRzl1WlFvS1pXTm9ieUFuVkdobElFcHVaR2xNYjI5cmRYQXVZMnhoYzNNZ2QybHNiQ0JpWlNCa1pXeGxkR1ZrSUdadmNpQmhiR3dnYkc5bk5Hb2dkbVZ5YzJsdmJuTWdQajB5TGpBZ1lXNWtJRHdnTWk0eE1DY0tabWx1WkNBdklDMTRaR1YySUMxMGVYQmxJR1lnTFhKbFoyVjRJQ2RlTGlwc2IyYzBhaTFqYjNKbExUSmJMbDFiTUMwNVhWc3VYUzRxYW1GeUpDY2dMV1Y0WldNZ0wzVnpjaTlpYVc0dmVtbHdJQzF4SUMxa0lIdDlJRzl5Wnk5aGNHRmphR1V2Ykc5bloybHVaeTlzYjJjMGFpOWpiM0psTDJ4dmIydDFjQzlLYm1ScFRHOXZhM1Z3TG1Oc1lYTnpJRnc3Q2dwcFppQmJXeUFpSkh0emRHRjBkWE5mWTI5a1pYMGlJRDA5SUNJeUlpb2dYVjA3Q25Sb1pXNEtJQ0FnWldOb2J5QW5kbEpQSUhObGNuWmxjaUJ6WlhKMmFXTmxJSE4wWVhKMFpXUWdjM1ZqWTJWemMyWjFiR3g1SVNjS1pXeHpaUW9nSUNCbFkyaHZJQ2QyVWs4Z2MyVnlkbVZ5SUhObGNuWnBZMlVnWkdsa0lHNXZkQ0J6ZEdGeWRDQjNhWFJvYVc0Z2RHaGxJR1Y0Y0dWamRHVmtJSEJsY21sdlpDNGdRMmhsWTJzZ2MzUmhkSFZ6SUc5bUlIWlNUeUJ6WlhKMlpYSWdjMlZ5ZG1salpTQXZkbUZ5TDJ4dlp5OTJZMjh2WVhCd0xYTmxjblpsY2k5elpYSjJaWEl1Ykc5bklHWnZjaUJ0YjNKbElHUmxkR0ZwYkhNdUp3b2dJQ0JsZUdsMElERUtabWs9XCIgfCBzaCAtICA+IC90bXAvdnJvX3N0YXJ0dXAubG9nICYgIiB9JyAvdmFyL2xpYi92Y28vYXBwLXNlcnZlci9iaW4vaW5pdC5kLnNoIC92YXIvbGliL3Zjby9hcHAtc2VydmVyL2Jpbi9pbml0LmQuc2gpIiA+IC92YXIvbGliL3Zjby9hcHAtc2VydmVyL2Jpbi9pbml0LmQuc2gKCgo=" | sh -

4 – Update Control Center

/usr/lib/vco/tools/configuration-cli/bin/vro-configure-inner.sh controlcenter-update

5 – Run the following commands to update the vRA configuration

echo 'VCAC_OPTS="$VCAC_OPTS -Dlog4j2.formatMsgNoLookups=true"' >> /etc/vcac/setenv-user

find / -xdev -type f -regex '^.*log4j-core-2[.][0-9][.].*jar$' -exec /usr/bin/zip -q -d {} org/apache/logging/log4j/core/lookup/JndiLookup.class \;

6 – Restart the services below with commands

  1. service horizon-workspace restart && base64 -d <<< “IyEvYmluL2Jhc2gKZWNobyAnV2FpdGluZyBmb3IgaG9yaXpvbiBzZXJ2aWNlIHRvIHN0YXJ0Li4uJwpmb3IgaSBpbiB7MS4uMTIwfQpkbwogICBzdGF0dXNfY29kZT1gY3VybCAtLW1heC10aW1lIDMwIC1vIC9kZXYvbnVsbCAtcyAtdyAiJXtodHRwX2NvZGV9XG4iICdodHRwOi8vbG9jYWxob3N0OjgwODAvU0FBUy9BUEkvMS4wL1JFU1Qvc3lzdGVtL2hlYWx0aCdgCiAgIFtbICIke3N0YXR1c19jb2RlfSIgPT0gIjIiKiBdXSAmJiBicmVhawogICBlY2hvICJIb3Jpem9uIGlzIHN0aWxsIHN0YXJ0aW5nLi4uIgogICBzbGVlcCA1CmRvbmUKCmlmIFtbICIke3N0YXR1c19jb2RlfSIgPT0gIjIiKiBdXTsKdGhlbgogICBlY2hvICdIb3Jpem9uIHNlcnZpY2Ugc3RhcnRlZCBzdWNjZXNzZnVsbHkhJwplbHNlCiAgIGVjaG8gJ0hvcml6b24gc2VydmljZSBkaWQgbm90IHN0YXJ0IHdpdGhpbiB0aGUgZXhwZWN0ZWQgcGVyaW9kLiBDaGVjayBzdGF0dXMgb2YgaG9yaXpvbi13b3Jrc3BhY2Ugc2VydmljZSBhbmQgbG9ncyBpbiAvdmFyL2xvZy92bXdhcmUvaG9yaXpvbi8gZm9yIG1vcmUgZGV0YWlscy4nCiAgIGV4aXQgMQpmaQo=” | sh –
  2. service elasticsearch restart
  3. service vco-server status | grep PID && service vco-server restart
  4. service vco-configurator start
  5. service vcac-server restart

THIS WILL CAUSE PRODUCTION DOWTIME. So be aware of it.

Good luck!