KMVBLOG

VMware関連のトラブルシュート・設定・検証関連の備忘録

VMware Cloud FoundationでのApache Log4j脆弱性の対応について

今回は、Apatch Log4jに深刻な脆弱性「CVE-2021-44228/CVE-2021-45046」が見つかった問題についてです。

www.jpcert.or.jp

Apache Log4jにはLookupと呼ばれる機能があり、ログとして記録された文字列から、一部の文字列を変数として置換します。その内、JNDI Lookup機能が悪用されると、遠隔の第三者が細工した文字列を送信し、Log4jがログとして記録することで、Log4jはLookupにより指定された通信先もしくは内部パスからjava classファイルを読み込み実行し、結果として任意のコードが実行される可能性があります。

VMwareの複数製品においても、その影響が公表されています。

対象のプロダクトや回避策等に関しては、以下VMSA-2021-0028から確認可能です。

www.vmware.com

今回、一部のVCF製品(Cloud Builder/SDDC Manager)の回避策が公開されてましたので

実施してみました。

Cloud Builder CVE-2021-44228のworkaround

本回避策は全てのVCF 3.xと4.xのCloud Builderに適応可能です。

 

Cloud BuilderにSSHで接続する

suコマンドでrootに昇格

admin@vcf-cb01 [ ~ ]$ su

 

imagingサービスの停止

root@vcf-cb01 [ /home/admin ]# systemctl stop imaging

 

imagingサービスが停止しているか確認

root@vcf-cb01 [ /home/admin ]# systemctl status imaging

 

以下のファイルを編集する前にバックアップを取得しておく

/opt/vmware/evorack-imaging/imaging-util-scripts/start-parent-imaging-service.sh

 

root@vcf-cb01 [ /home/admin ]# cp /opt/vmware/evorack-imaging/imaging-util-scripts/start-parent-imaging-service.sh /opt/vmware/evorack-imaging/imaging-util-scripts/start-parent-imaging-service.sh.orig

 

/opt/vmware/evorack-imaging/imaging-util-scripts/start-parent-imaging-service.shを編集する

root@vcf-cb01 [ /home/admin ]# vi /opt/vmware/evorack-imaging/imaging-util-scripts/start-parent-imaging-service.sh

Before

nohup /etc/alternatives/jre/bin/java -jar -Dserver.port=$VIA_SERVICE_PORT -Dspring.config.additional-location=$VIA_EXTERNAL_PROPERTIES_PATH,$VIA_DB_PROPERTIES_FILE -Dserver.servlet.context-path=$VIA_CONTEXT_PATH $VIA_SERVICE_PATH < /dev/null >>$LOGFILE 2>&1 &

After

nohup /etc/alternatives/jre/bin/java -jar -Dserver.port=$VIA_SERVICE_PORT - Dlog4j2.formatMsgNoLookups=true -Dspring.config.additional-location=$VIA_EXTERNAL_PROPERTIES_PATH,$VIA_DB_PROPERTIES_FILE -Dserver.servlet.context-path=$VIA_CONTEXT_PATH $VIA_SERVICE_PATH < /dev/null >>$LOGFILE 2>&1 &

 

以下のファイルを編集する前にバックアップを取得しておく

/opt/vmware/evorack-imaging/imaging-util-scripts/start-imaging-services.sh

 

root@vcf-cb01 [ /home/admin ]# cp /opt/vmware/evorack-imaging/imaging-util-scripts/start-imaging-services.sh /opt/vmware/evorack-imaging/imaging-util-scripts/start-imaging-services.sh.orig

 

/opt/vmware/evorack-imaging/imaging-util-scripts/start-imaging-services.shを編集する

 

Before

nohup /etc/alternatives/jre/bin/java -jar -Dserver.port=$SECOND -Dspring.config.additional-location=$VIA_DB_PROPERTIES_FILE $name < /dev/null >>$LOGFILE 2>&1 &

After

nohup /etc/alternatives/jre/bin/java -jar -Dserver.port=$SECOND -Dlog4j2.formatMsgNoLookups=true -Dspring.config.additional-location=$VIA_DB_PROPERTIES_FILE $name < /dev/null >>$LOGFILE 2>&1 &

 

編集が完了したら、以下コマンドでサービスを起動する

root@vcf-cb01 [ /home/admin ]# systemctl start imaging

 

以下コマンドでサービスが正常に起動(running)している事を確認する

root@vcf-cb01 [ /home/admin ]# systemctl status imaging

 

以下のコマンドを実行し、imagingサービスが"Dlog4j2.formatMsgNoLookups=true" オプションで実行されている事を確認します。

root@vcf-cb01 [ /home/admin ]# ps -ef|grep jar
root      9184     1 26 15:06 ?        00:00:18 /etc/alternatives/jre/bin/java -jar -Dserver.port=8445 -Dlog4j2.formatMsgNoLookups=true -Dspring.config.additional-location=/opt/vmware/evorack-imaging/config/via.properties,/opt/vmware/evorack-imaging/config/via-db-ext.properties -Dserver.servlet.context-path=/via /opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar
root      9654  8756 32 15:07 ?        00:00:16 /etc/alternatives/jre/bin/java -jar -Dserver.port=8081 -Dlog4j2.formatMsgNoLookups=true -Dspring.config.additional-location=/opt/vmware/evorack-imaging/config/via-db-ext.properties /opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar
root     10087  4157  0 15:08 pts/0    00:00:00 grep --color=auto jar

 

Cloud Builder CVE-2021-45046のworkaround

Cloud BuilderにSSHで接続する

suコマンドでrootに昇格

admin@vcf-cb01 [ ~ ]$ su

 

imagingサービスを停止する

root@vcf-cb01 [ /home/admin ]# systemctl stop imaging

 

evorack-imaging-esxi-service jarの脆弱性の対処

 

テンポラリのディレクトリを作成する

root@vcf-cb01 [ /home/admin ]# mktemp -d -t log4j-XXXXXXXXXX

出力例

root@vcf-cb01 [ /home/admin ]# mktemp -d -t log4j-XXXXXXXXXX
/tmp/log4j-TChoNYNPvH

以下のコマンドを実行しlog4j-coreがjarファイルevorack-imaging-esxi-service-0.0.1-SNAPSHOT.jarに存在するかどうかを確認します。

root@vcf-cb01 [ /home/admin ]# zipinfo -1 "/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar" | grep log4j-core-*

出力例

root@vcf-cb01 [ /home/admin ]# zipinfo -1 "/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar" | grep log4j-core-*

BOOT-INF/lib/log4j-core-2.13.1.jar

mktempで作成したディレクトリのパスをコピーし、以下コマンドを実行します。

root@vcf-cb01 [ /home/admin ]# unzip "/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar" "BOOT-INF/lib/log4j-core-2.13.1.jar" -d "/tmp/log4j-TChoNYNPvH"

以下のコマンドを実行します。

root@vcf-cb01 [ /home/admin ]# zipinfo -l /tmp/log4j-TChoNYNPvH/BOOT-INF/lib/log4j-core-2.13.1.jar | grep -q "org/apache/logging/log4j/core/lookup/JndiLookup.class"

次に以下のコマンドを実行します。

root@vcf-cb01 [ /home/admin ]# echo $?

戻り値が1の場合は、これ以上の対処が不要なので、via.jarの対処に進む

戻り値が0の場合は、JndiLookup.classが存在するため、続けて以下コマンドを実行する必要があります。

root@vcf-cb01 [ /home/admin ]# zip -q -d "/tmp/log4j-TChoNYNPvH/BOOT-INF/lib/log4j-core-2.13.1.jar" "org/apache/logging/log4j/core/lookup/JndiLookup.class"

これにより、log4j-core-2.1.3.1.jarからJndiLookup.classファイルが削除されます。

変更したlog4j-coreでevorack-imaging jarを更新します。

root@vcf-cb01 [ /home/admin ]# cd "/tmp/log4j-TChoNYNPvH" && zip -ur -0 "/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar"

出力例

root@vcf-cb01 [ /home/admin ]# cd "/tmp/log4j-TChoNYNPvH" && zip -ur -0 "/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar"
updating: BOOT-INF/ (stored 0%)
updating: BOOT-INF/lib/ (stored 0%)
updating: BOOT-INF/lib/log4j-core-2.13.1.jar (stored 0%)

via.jarの脆弱性の対処

テンポラリのディレクトリを作成する

root@vcf-cb01 [ /home/admin ]# mktemp -d -t log4j-XXXXXXXXXX

出力例

root@vcf-cb01 [ /home/admin ]# mktemp -d -t log4j-XXXXXXXXXX
/tmp/log4j-ZjZ9Z0Itul

以下のコマンドを実行しlog4j-coreがvia.jarファイルに存在するかどうか確認します

root@vcf-cb01 [ /home/admin ]# zipinfo -1 "/opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar" | grep log4j-core-*

出力例

root@vcf-cb01 [ /home/admin ]# zipinfo -1 "/opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar" | grep log4j-core-*
BOOT-INF/lib/log4j-core-2.13.1.jar

mktempで作成したディレクトリのパスをコピーし、以下コマンドを実行します。

root@vcf-cb01 [ /home/admin ]# unzip "/opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar" "BOOT-INF/lib/log4j-core-2.13.1.jar" -d "/tmp/log4j-ZjZ9Z0Itul"

root@vcf-cb01 [ /home/admin ]# zipinfo -l /tmp/log4j-ZjZ9Z0Itul/BOOT-INF/lib/log4j-core-2.13.1.jar | grep -q "org/apache/logging/log4j/core/lookup/JndiLookup.class"

以下のコマンドを実行します。

root@vcf-cb01 [ /home/admin ]# echo $?

戻り値が1の場合は、これ以上の対処が不要なので、imaging serviceを起動する

戻り値が0の場合は、JndiLookup.classが存在するため、続けて以下コマンドを実行する必要があります。

root@vcf-cb01 [ /home/admin ]# zip -q -d "/tmp/log4j-ZjZ9Z0Itul/BOOT-INF/lib/log4j-core-2.13.1.jar" "org/apache/logging/log4j/core/lookup/JndiLookup.class"

これにより、log4j-core-2.1.3.1.jarからJndiLookup.classファイルが削除されます。

変更したlog4j-coreでvia.jarを更新します。

root@vcf-cb01 [ /home/admin ]# cd "/tmp/log4j-ZjZ9Z0Itul" && zip -ur -0 "/opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar"

出力例

root@vcf-cb01 [ /home/admin ]# cd "/tmp/log4j-ZjZ9Z0Itul" && zip -ur -0 "/opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar"
updating: BOOT-INF/ (stored 0%)
updating: BOOT-INF/lib/ (stored 0%)
updating: BOOT-INF/lib/log4j-core-2.13.1.jar (stored 0%)

imagingサービスを起動する

root@vcf-cb01 [ /tmp/log4j-ZjZ9Z0Itul ]# systemctl start imaging

スクリプトによる回避策の実行(VMware推奨)

スクリプトはCVE-2021-44228とCVE-2021-45046に対処可能

既にCVE-2021-44228のworkaroundを実施済みでスクリプトを実行する事を推奨

 

KBに添付されている「log4j_via_v3.sh」というスクリプトファイルをダウンロードし、Cloud Builderの/home/adminディレクトリにコピーします。

 

Cloud BuilderにSSHで接続します

suコマンドでrootに昇格

admin@vcf-cb01 [ ~ ]$ su

以下のコマンドでスクリプトを実行します

root@vcf-cb01 [ /home/admin ]# bash log4j_via_v3.sh

出力例

root@vcf-cb01 [ /home/admin ]# bash log4j_via_v3.sh
» Starting to remediate log4j issue in imaging service.
» ---
» Stopping imaging service: [systemctl stop imaging]
» ---
» Stage 1 - Entering remediation stage.
» Step 1 - Remove JndiLookup class for CVE-2021-45046. Scanning if any of imaging jars [/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar /opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar] exist in system.
» Found imaging jar [/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar] that needs analysis for existence of JndiLookup class.
» Creating a working directory [/tmp/log4j-MxSOaIPnKF]
» Successfully created working directory [/tmp/log4j-MxSOaIPnKF] for updating [/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar]
» Looking for [log4j-core-*] in [/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar]
» Executing: [(zipinfo -1 /opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar | grep log4j-core-*) || exit 1]
» Extracting [BOOT-INF/lib/log4j-core-2.13.1.jar] from [/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar] to temp directory [/tmp/log4j-MxSOaIPnKF]
» Executing: [unzip /opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar BOOT-INF/lib/log4j-core-2.13.1.jar -d /tmp/log4j-MxSOaIPnKF || exit 1]
Archive:  /opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar
 extracting: /tmp/log4j-MxSOaIPnKF/BOOT-INF/lib/log4j-core-2.13.1.jar
» Scanning [/tmp/log4j-MxSOaIPnKF/BOOT-INF/lib/log4j-core-2.13.1.jar] to check if [org/apache/logging/log4j/core/lookup/JndiLookup.class] exists.
» Executing: [zipinfo -1 /tmp/log4j-MxSOaIPnKF/BOOT-INF/lib/log4j-core-2.13.1.jar | grep -q org/apache/logging/log4j/core/lookup/JndiLookup.class]
» Scanning completed. [/tmp/log4j-MxSOaIPnKF/BOOT-INF/lib/log4j-core-2.13.1.jar] does not have the affected class. No clean-up needed.
» Cleaning up working directory [/tmp/log4j-MxSOaIPnKF]
» Cleaned up working directory [/tmp/log4j-MxSOaIPnKF]
» ---
» Found imaging jar [/opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar] that needs analysis for existence of JndiLookup class.
» Creating a working directory [/tmp/log4j-sFS5k5n2D2]
» Successfully created working directory [/tmp/log4j-sFS5k5n2D2] for updating [/opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar]
» Looking for [log4j-core-*] in [/opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar]
» Executing: [(zipinfo -1 /opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar | grep log4j-core-*) || exit 1]
» Extracting [BOOT-INF/lib/log4j-core-2.13.1.jar] from [/opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar] to temp directory [/tmp/log4j-sFS5k5n2D2]
» Executing: [unzip /opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar BOOT-INF/lib/log4j-core-2.13.1.jar -d /tmp/log4j-sFS5k5n2D2 || exit 1]
Archive:  /opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar
 extracting: /tmp/log4j-sFS5k5n2D2/BOOT-INF/lib/log4j-core-2.13.1.jar
» Scanning [/tmp/log4j-sFS5k5n2D2/BOOT-INF/lib/log4j-core-2.13.1.jar] to check if [org/apache/logging/log4j/core/lookup/JndiLookup.class] exists.
» Executing: [zipinfo -1 /tmp/log4j-sFS5k5n2D2/BOOT-INF/lib/log4j-core-2.13.1.jar | grep -q org/apache/logging/log4j/core/lookup/JndiLookup.class]
» Scanning completed. [/tmp/log4j-sFS5k5n2D2/BOOT-INF/lib/log4j-core-2.13.1.jar] does not have the affected class. No clean-up needed.
» Cleaning up working directory [/tmp/log4j-sFS5k5n2D2]
» Cleaned up working directory [/tmp/log4j-sFS5k5n2D2]
» ---
» Remediation successful for CVE-2021-45046.
» Step 2 - Add flag [-Dlog4j2.formatMsgNoLookups=true] to imaging service start scripts for CVE-2021-44228.
» Check if backup of [/opt/vmware/evorack-imaging/imaging-util-scripts/start-parent-imaging-service.sh] exists
» Backup file already exists under /opt/vmware/evorack-imaging/imaging-util-scripts/start-parent-imaging-service.sh.orig
» File [/opt/vmware/evorack-imaging/imaging-util-scripts/start-parent-imaging-service.sh] already contains [-jar -Dserver.port=$VIA_SERVICE_PORT -Dlog4j2.formatMsgNoLookups=true]. No file updates necessary.
» Check if backup of [/opt/vmware/evorack-imaging/imaging-util-scripts/start-imaging-services.sh] exists.
» Backup file already exists under [/opt/vmware/evorack-imaging/imaging-util-scripts/start-imaging-services.sh.orig]
» File [/opt/vmware/evorack-imaging/imaging-util-scripts/start-imaging-services.sh] already contains [-jar -Dserver.port=$SECOND -Dlog4j2.formatMsgNoLookups=true]. No file updates necessary.
» Starting imaging service: systemctl start imaging
» ---
» Remediation successful for CVE-2021-44228.
» Stage 2 - Entering verification stage.
» Step 1 - Verification of remediation for CVE-2021-45046.
» Verifying classpath removal.
» Making sure JndiLookup class [org/apache/logging/log4j/core/lookup/JndiLookup.class] shouldn't exist in imaging jar [/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar]
» Creating a working directory [/tmp/log4j-qoy12HBnND]
» Successfully created working directory [/tmp/log4j-qoy12HBnND] for updating [/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar]
» Looking for [log4j-core-*] in [/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar]
» Executing: [(zipinfo -1 /opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar | grep log4j-core-*) || exit 1]
» Extracting [BOOT-INF/lib/log4j-core-2.13.1.jar] from [/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar] to temp directory [/tmp/log4j-qoy12HBnND]
» Executing: [unzip /opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar BOOT-INF/lib/log4j-core-2.13.1.jar -d /tmp/log4j-qoy12HBnND || exit 1]
Archive:  /opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar
 extracting: /tmp/log4j-qoy12HBnND/BOOT-INF/lib/log4j-core-2.13.1.jar
» Scanning [/tmp/log4j-qoy12HBnND/BOOT-INF/lib/log4j-core-2.13.1.jar] to check if [org/apache/logging/log4j/core/lookup/JndiLookup.class] exists.
» Executing: [zipinfo -1 /tmp/log4j-qoy12HBnND/BOOT-INF/lib/log4j-core-2.13.1.jar | grep -q org/apache/logging/log4j/core/lookup/JndiLookup.class]
» ---
» Scanning completed.
» Verified [/tmp/log4j-qoy12HBnND/BOOT-INF/lib/log4j-core-2.13.1.jar] does not have the affected class.
» ---
» Cleaning up working directory [/tmp/log4j-qoy12HBnND]
» Cleaned up working directory [/tmp/log4j-qoy12HBnND]
» ---
» Making sure JndiLookup class [org/apache/logging/log4j/core/lookup/JndiLookup.class] shouldn't exist in imaging jar [/opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar]
» Creating a working directory [/tmp/log4j-eDdiOOpPJf]
» Successfully created working directory [/tmp/log4j-eDdiOOpPJf] for updating [/opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar]
» Looking for [log4j-core-*] in [/opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar]
» Executing: [(zipinfo -1 /opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar | grep log4j-core-*) || exit 1]
» Extracting [BOOT-INF/lib/log4j-core-2.13.1.jar] from [/opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar] to temp directory [/tmp/log4j-eDdiOOpPJf]
» Executing: [unzip /opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar BOOT-INF/lib/log4j-core-2.13.1.jar -d /tmp/log4j-eDdiOOpPJf || exit 1]
Archive:  /opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar
 extracting: /tmp/log4j-eDdiOOpPJf/BOOT-INF/lib/log4j-core-2.13.1.jar
» Scanning [/tmp/log4j-eDdiOOpPJf/BOOT-INF/lib/log4j-core-2.13.1.jar] to check if [org/apache/logging/log4j/core/lookup/JndiLookup.class] exists.
» Executing: [zipinfo -1 /tmp/log4j-eDdiOOpPJf/BOOT-INF/lib/log4j-core-2.13.1.jar | grep -q org/apache/logging/log4j/core/lookup/JndiLookup.class]
» ---
» Scanning completed.
» Verified [/tmp/log4j-eDdiOOpPJf/BOOT-INF/lib/log4j-core-2.13.1.jar] does not have the affected class.
» ---
» Cleaning up working directory [/tmp/log4j-eDdiOOpPJf]
» Cleaned up working directory [/tmp/log4j-eDdiOOpPJf]
» ---
» Verification steps for CVE-2021-45046 completed.
» Step 2 - Verification of remediation for CVE-2021-44228.
» Checking if imaging service is active.
» Executing: [systemctl status imaging || exit 1]
» Monitoring if imaging service is started.
» Imaging service started successfully.
» Checking if imaging jars are updated with [-Dlog4j2.formatMsgNoLookups=true]
» Executing: [ps -ef|grep jar || exit 1]
» Reading the output of the command [ps -ef | grep jar] line by line.
» Scanning if [via] or [evorack-imaging-esxi-service] services is in the following line:
» [root     15767 15736  0 04:21 ?        00:00:00 /etc/alternatives/jre/bin/java -jar -Dserver.port=8081 -Dlog4j2.formatMsgNoLookups=true -Dspring.config.additional-location=/opt/vmware/evorack-imaging/config/via-db-ext.properties /opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar]
» Verifying the service has the flag [-Dlog4j2.formatMsgNoLookups=true]
» Verified flag [-Dlog4j2.formatMsgNoLookups=true] is present.
» Scanning if [via] or [evorack-imaging-esxi-service] services is in the following line:
» [root     15784 15782  0 04:21 pts/0    00:00:00 grep jar]
» Verification steps for CVE-2021-44228 completed.
» Completed script execution.

SDDC Manager

本回避策はVCF 3.x(VCF 3.10.2, 3.10.2.1と3.10.2.2を除く)と4.xのCloud Builderに適応可能です。

SDDC Managerにvcfユーザーで接続する。

 

suコマンドでrootに昇格

vcf@vcf-sddcmgr [ ~ ]$ su

 

以下のファイルを編集する前にバックアップを取得しておく

/usr/local/vip/bin/start-vip.sh

 

root@vcf-sddcmgr [ /home/vcf ]# cp /usr/local/vip/bin/start-vip.sh /usr/local/vip/bin/start-vip.sh.orig

 

/usr/local/vip/bin/start-vip.shを編集する

root@vcf-sddcmgr [ /home/vcf ]# vi /usr/local/vip/bin/start-vip.sh

Before

nohup $JAVA -jar -Dapp.log.home=/var/log/vmware/vip -server -XX:MaxMetaspaceSize=64m -XX:ParallelGCThreads=2 -Djava.compiler=NONE $1 --vipservice.cross.domain.alloworigin=$(hostname) --server.scheme=http --server.http.port=7900> $2 2>&1 &

After

nohup $JAVA -jar -Dapp.log.home=/var/log/vmware/vip -server -XX:MaxMetaspaceSize=64m -XX:ParallelGCThreads=2 -Djava.compiler=NONE -DLOG4J_FORMAT_MSG_NO_LOOKUPS=true $1 --vipservice.cross.domain.alloworigin=$(hostname) --server.scheme=http --server.http.port=7900> $2 2>&1 &

 

編集が完了したら、以下コマンドでサービスを再起動する

root@vcf-sddcmgr [ /home/vcf ]# systemctl restart vip-manager-i18n.service

以下コマンドを実行しVIP Manager Serviceが- DLOG4J_FORMAT_MSG_NO_LOOKUPS=trueオプションで実行されている事を確認します。

root@vcf-sddcmgr [ /home/vcf ]# systemctl status vip-manager-i18n.service
* vip-manager-i18n.service - VMware Internationalization Service
   Loaded: loaded (/etc/systemd/system/vip-manager-i18n.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2021-12-24 06:14:20 UTC; 3min 13s ago
  Process: 2664 ExecStop=/usr/local/vip/bin/init.sh stop (code=exited, status=0/SUCCESS)
  Process: 2684 ExecStart=/usr/local/vip/bin/init.sh start (code=exited, status=0/SUCCESS)
 Main PID: 2714 (java)
    Tasks: 26 (limit: 19197)
   Memory: 207.8M
   CGroup: /system.slice/vip-manager-i18n.service
           `-2714 /usr/bin/java -jar -Dapp.log.home=/var/log/vmware/vip -server -XX:MaxMetaspaceSize=64m -XX:ParallelGCThreads=2 -Djava.compiler=NONE -DLOG4J_FORMAT_MSG_NO_LOOKUPS=true /usr/local/vip/vip-...

Dec 24 06:14:20 vcf-sddcmgr.vcf.local init.sh[2684]: start VIP service
Dec 24 06:14:20 vcf-sddcmgr.vcf.local init.sh[2684]: execute start function
Dec 24 06:14:20 vcf-sddcmgr.vcf.local init.sh[2684]: executing:  /usr/local/vip/bin/start-vip.sh /usr/local/vip/vip-manager-i18n-common.jar /usr/local/vip/work/vip-runtime.log /usr/local/vip/work
Dec 24 06:14:20 vcf-sddcmgr.vcf.local init.sh[2684]: =====startup vip=====
Dec 24 06:14:20 vcf-sddcmgr.vcf.local init.sh[2684]: found java home:  /etc/alternatives/jre
Dec 24 06:14:20 vcf-sddcmgr.vcf.local init.sh[2684]: run vip from:  /usr/local/vip/vip-manager-i18n-common.jar
Dec 24 06:14:20 vcf-sddcmgr.vcf.local init.sh[2684]: log file:  /var/log/vmware/vip/vip-runtime.log
Dec 24 06:14:20 vcf-sddcmgr.vcf.local init.sh[2684]: vip service is started!
Dec 24 06:14:20 vcf-sddcmgr.vcf.local init.sh[2684]: end of starting VIP service
Dec 24 06:14:20 vcf-sddcmgr.vcf.local systemd[1]: Started VMware Internationalization Service.

CVE-2021-45046のworkaround

本回避策はVCF 3.x(VCF 3.10.2, 3.10.2.1と3.10.2.2を除く)と4.xのCloud Builderに適応可能です。

vip manager i18nサービスを停止する

root@vcf-sddcmgr [ /home/vcf ]# systemctl stop vip-manager-i18n.service

vip-manager-i18n-common.jarの脆弱性の対処

テンポラリのディレクトリを作成する

root@vcf-sddcmgr [ /home/vcf ]# mktemp -d -t log4j-XXXXXXXXXX

出力例

root@vcf-sddcmgr [ /home/vcf ]# mktemp -d -t log4j-XXXXXXXXXX
/tmp/log4j-t01QRNHQSX

 

以下のコマンドを実行しlog4j-coreがvip-manager-i18n-common.jaファイルに存在するかどうか確認します

root@vcf-sddcmgr [ /home/vcf ]# zipinfo -1 "/usr/local/vip/vip-manager-i18n-common.jar" | grep log4j-core-*

 

出力例

root@vcf-sddcmgr [ /home/vcf ]# zipinfo -1 "/usr/local/vip/vip-manager-i18n-common.jar" | grep log4j-core-*
BOOT-INF/lib/log4j-core-2.13.3.jar

 

mktempで作成したディレクトリのパスをコピーし、以下コマンドを実行します。

root@vcf-sddcmgr [ /home/vcf ]# unzip "/usr/local/vip/vip-manager-i18n-common.jar" "BOOT-INF/lib/log4j-core-2.13.3.jar" -d "/tmp/log4j-t01QRNHQSX"

root@vcf-sddcmgr [ /home/vcf ]# zipinfo -1 /tmp/log4j-t01QRNHQSX/BOOT-INF/lib/log4j-core-2.13.3.jar | grep -q "org/apache/logging/log4j/core/lookup/JndiLookup.class"

 

以下のコマンドを実行します。

root@vcf-sddcmgr [ /home/vcf ]# echo $?

戻り値が1の場合は、これ以上の対処が不要なので、vip manager serviceの起動に進む

戻り値が0の場合は、JndiLookup.classが存在するため、続けて以下コマンドを実行する必要があります。

root@vcf-sddcmgr [ /home/vcf ]# zip -q -d "/tmp/log4j-t01QRNHQSX/BOOT-INF/lib/log4j-core-2.13.3.jar" "org/apache/logging/log4j/core/lookup/JndiLookup.class"

 

これにより、log4j-core-2.13.3.jarからJndiLookup.classファイルが削除されます。

変更したlog4j-coreでvia.jarを更新します。

root@vcf-sddcmgr [ /home/vcf ]# cd "/tmp/log4j-t01QRNHQSX/" && zip -ur -0 

 

出力例

root@vcf-sddcmgr [ /home/vcf ]# cd "/tmp/log4j-t01QRNHQSX/" && zip -ur -0 "/usr/local/vip/vip-manager-i18n-common.jar"
updating: BOOT-INF/ (stored 0%)
updating: BOOT-INF/lib/ (stored 0%)
updating: BOOT-INF/lib/log4j-core-2.13.3.jar (stored 0%)

 

vip manager i18nサービスを起動します。

root@vcf-sddcmgr [ /tmp/log4j-t01QRNHQSX ]# systemctl start vip-manager-i18n.service

スクリプトによる回避策の実行(VMware推奨)

スクリプトはCVE-2021-44228とCVE-2021-45046に対処可能

既にCVE-2021-44228のworkaroundを実施済みでスクリプトを実行する事を推奨

 

KBに添付されている「 log4j_vip_v3」というスクリプトファイルをダウンロードし、SDDC Managerの/home/vcf ディレクトリにコピーします。

 

SDDC ManagerにSSHで接続します

suコマンドでrootに昇格

vcf@vcf-sddcmgr [ ~ ]$ su

 

以下のコマンドでスクリプトを実行します

root@vcf-sddcmgr [ /home/vcf ]# bash log4j_vip_v3.sh

 

出力例

root@vcf-sddcmgr [ /home/vcf ]# bash log4j_vip_v3.sh
» Starting to remediate log4j issue in VIP service
» ---
» Stopping VIP service: [systemctl stop vip-manager-i18n.service]
» ---
» Step 1 - Scanning if any of VIP jars [/usr/local/vip/vip-manager-i18n-common.jar /usr/local/vip/vip-manager-i18n-lite-master.0.0.276.jar] exist in system
» Found VIP jar [/usr/local/vip/vip-manager-i18n-common.jar] that needs analysis for existence of JndiLookup class
» Creating a working directory [/tmp/log4j-Q952zriuhN]
» Successfully created working directory [/tmp/log4j-Q952zriuhN] for updating [/usr/local/vip/vip-manager-i18n-common.jar]
» Looking for [log4j-core-*] in [/usr/local/vip/vip-manager-i18n-common.jar]
» Executing: [(zipinfo -1 /usr/local/vip/vip-manager-i18n-common.jar | grep log4j-core-*) || exit 1]
» Extracting [BOOT-INF/lib/log4j-core-2.13.3.jar] from [/usr/local/vip/vip-manager-i18n-common.jar] to temp directory [/tmp/log4j-Q952zriuhN]
» Executing: [unzip /usr/local/vip/vip-manager-i18n-common.jar BOOT-INF/lib/log4j-core-2.13.3.jar -d /tmp/log4j-Q952zriuhN || exit 1]
Archive:  /usr/local/vip/vip-manager-i18n-common.jar
 extracting: /tmp/log4j-Q952zriuhN/BOOT-INF/lib/log4j-core-2.13.3.jar
» Scanning [/tmp/log4j-Q952zriuhN/BOOT-INF/lib/log4j-core-2.13.3.jar] to check if [org/apache/logging/log4j/core/lookup/JndiLookup.class] exists
» Executing: [zipinfo -1 /tmp/log4j-Q952zriuhN/BOOT-INF/lib/log4j-core-2.13.3.jar | grep -q org/apache/logging/log4j/core/lookup/JndiLookup.class]
» Scanning completed. [/tmp/log4j-Q952zriuhN/BOOT-INF/lib/log4j-core-2.13.3.jar] does not have the affected class. No clean-up needed.
» Cleaning up working directory [/tmp/log4j-Q952zriuhN]
» Cleaned up working directory [/tmp/log4j-Q952zriuhN]
» ---
» Step 2 - Update flag [DLOG4J_FORMAT_MSG_NO_LOOKUPS=true] in VIP service start script
» Checking if flag [DLOG4J_FORMAT_MSG_NO_LOOKUPS=true] is set in [/usr/local/vip/bin/start-vip.sh] already
» Executing: [grep -q DLOG4J_FORMAT_MSG_NO_LOOKUPS=true /usr/local/vip/bin/start-vip.sh]
» Flag [DLOG4J_FORMAT_MSG_NO_LOOKUPS=true] is already set in VIP service start file [/usr/local/vip/bin/start-vip.sh]. No further action needed...
» ---
» Starting VIP service: systemctl start vip-manager-i18n.service
» ---
» Step 3 - Entering verification stage
» Verifying classpath removal
» Verifying JndiLookup class [org/apache/logging/log4j/core/lookup/JndiLookup.class] doesn't exist in VIP jar [/usr/local/vip/vip-manager-i18n-common.jar]
» Creating a working directory [/tmp/log4j-YYgTDfZNXJ]
» Successfully created working directory [/tmp/log4j-YYgTDfZNXJ] for updating [/usr/local/vip/vip-manager-i18n-common.jar]
» Looking for [log4j-core-*] in [/usr/local/vip/vip-manager-i18n-common.jar]
» Executing: [(zipinfo -1 /usr/local/vip/vip-manager-i18n-common.jar | grep log4j-core-*) || exit 1]
» Extracting [BOOT-INF/lib/log4j-core-2.13.3.jar] from [/usr/local/vip/vip-manager-i18n-common.jar] to temp directory [/tmp/log4j-YYgTDfZNXJ]
» Executing: [unzip /usr/local/vip/vip-manager-i18n-common.jar BOOT-INF/lib/log4j-core-2.13.3.jar -d /tmp/log4j-YYgTDfZNXJ || exit 1]
Archive:  /usr/local/vip/vip-manager-i18n-common.jar
 extracting: /tmp/log4j-YYgTDfZNXJ/BOOT-INF/lib/log4j-core-2.13.3.jar
» Scanning [/tmp/log4j-YYgTDfZNXJ/BOOT-INF/lib/log4j-core-2.13.3.jar] to check if [org/apache/logging/log4j/core/lookup/JndiLookup.class] exists
» Executing: [zipinfo -1 /tmp/log4j-YYgTDfZNXJ/BOOT-INF/lib/log4j-core-2.13.3.jar | grep -q org/apache/logging/log4j/core/lookup/JndiLookup.class]
» ---
» Scanning completed.
» Verified [/tmp/log4j-YYgTDfZNXJ/BOOT-INF/lib/log4j-core-2.13.3.jar] does not have the affected class.
» ---
» Cleaning up working directory [/tmp/log4j-YYgTDfZNXJ]
» Cleaned up working directory [/tmp/log4j-YYgTDfZNXJ]
» ---
» Verifying [LOG4J_FORMAT_MSG_NO_LOOKUPS=true] is updated in VIP start script
» Executing: [ps -ef | grep /vip/vip-manager-i18n | grep 'DLOG4J_FORMAT_MSG_NO_LOOKUPS=true']
vcf_vip    3750      1  0 06:50 ?        00:00:00 /usr/bin/java -jar -Dapp.log.home=/var/log/vmware/vip -server -XX:MaxMetaspaceSize=64m -XX:ParallelGCThreads=2 -Djava.compiler=NONE -DLOG4J_FORMAT_MSG_NO_LOOKUPS=true /usr/local/vip/vip-manager-i18n-common.jar --vipservice.cross.domain.alloworigin=vcf-sddcmgr.vcf.local --server.scheme=http --server.http.port=7900
» ---
» Verified [LOG4J_FORMAT_MSG_NO_LOOKUPS=true] is updated in VIP start script successfully
» Remediation successful for CVE-2021-44228
» ---
» Script run completed.

その他のVCFコンポーネントの対応については、KB 87095を参照してください。

 

以上です。