VMware Cloud FoundationでのApache Log4j脆弱性の対応について
今回は、Apatch Log4jに深刻な脆弱性「CVE-2021-44228/CVE-2021-45046」が見つかった問題についてです。
Apache Log4jにはLookupと呼ばれる機能があり、ログとして記録された文字列から、一部の文字列を変数として置換します。その内、JNDI Lookup機能が悪用されると、遠隔の第三者が細工した文字列を送信し、Log4jがログとして記録することで、Log4jはLookupにより指定された通信先もしくは内部パスからjava classファイルを読み込み実行し、結果として任意のコードが実行される可能性があります。
VMwareの複数製品においても、その影響が公表されています。
対象のプロダクトや回避策等に関しては、以下VMSA-2021-0028から確認可能です。
今回、一部のVCF製品(Cloud Builder/SDDC Manager)の回避策が公開されてましたので
実施してみました。
Cloud Builder CVE-2021-44228のworkaround
本回避策は全てのVCF 3.xと4.xのCloud Builderに適応可能です。
Cloud BuilderにSSHで接続する
suコマンドでrootに昇格
admin@vcf-cb01 [ ~ ]$ su
imagingサービスの停止
root@vcf-cb01 [ /home/admin ]# systemctl stop imaging
imagingサービスが停止しているか確認
root@vcf-cb01 [ /home/admin ]# systemctl status imaging
以下のファイルを編集する前にバックアップを取得しておく
/opt/vmware/evorack-imaging/imaging-util-scripts/start-parent-imaging-service.sh
root@vcf-cb01 [ /home/admin ]# cp /opt/vmware/evorack-imaging/imaging-util-scripts/start-parent-imaging-service.sh /opt/vmware/evorack-imaging/imaging-util-scripts/start-parent-imaging-service.sh.orig
/opt/vmware/evorack-imaging/imaging-util-scripts/start-parent-imaging-service.shを編集する
root@vcf-cb01 [ /home/admin ]# vi /opt/vmware/evorack-imaging/imaging-util-scripts/start-parent-imaging-service.sh
Before
nohup /etc/alternatives/jre/bin/java -jar -Dserver.port=$VIA_SERVICE_PORT -Dspring.config.additional-location=$VIA_EXTERNAL_PROPERTIES_PATH,$VIA_DB_PROPERTIES_FILE -Dserver.servlet.context-path=$VIA_CONTEXT_PATH $VIA_SERVICE_PATH < /dev/null >>$LOGFILE 2>&1 &
After
nohup /etc/alternatives/jre/bin/java -jar -Dserver.port=$VIA_SERVICE_PORT - Dlog4j2.formatMsgNoLookups=true -Dspring.config.additional-location=$VIA_EXTERNAL_PROPERTIES_PATH,$VIA_DB_PROPERTIES_FILE -Dserver.servlet.context-path=$VIA_CONTEXT_PATH $VIA_SERVICE_PATH < /dev/null >>$LOGFILE 2>&1 &
以下のファイルを編集する前にバックアップを取得しておく
/opt/vmware/evorack-imaging/imaging-util-scripts/start-imaging-services.sh
root@vcf-cb01 [ /home/admin ]# cp /opt/vmware/evorack-imaging/imaging-util-scripts/start-imaging-services.sh /opt/vmware/evorack-imaging/imaging-util-scripts/start-imaging-services.sh.orig
/opt/vmware/evorack-imaging/imaging-util-scripts/start-imaging-services.shを編集する
Before
nohup /etc/alternatives/jre/bin/java -jar -Dserver.port=$SECOND -Dspring.config.additional-location=$VIA_DB_PROPERTIES_FILE $name < /dev/null >>$LOGFILE 2>&1 &
After
nohup /etc/alternatives/jre/bin/java -jar -Dserver.port=$SECOND -Dlog4j2.formatMsgNoLookups=true -Dspring.config.additional-location=$VIA_DB_PROPERTIES_FILE $name < /dev/null >>$LOGFILE 2>&1 &
編集が完了したら、以下コマンドでサービスを起動する
root@vcf-cb01 [ /home/admin ]# systemctl start imaging
以下コマンドでサービスが正常に起動(running)している事を確認する
root@vcf-cb01 [ /home/admin ]# systemctl status imaging
以下のコマンドを実行し、imagingサービスが"Dlog4j2.formatMsgNoLookups=true" オプションで実行されている事を確認します。
root@vcf-cb01 [ /home/admin ]# ps -ef|grep jar
root 9184 1 26 15:06 ? 00:00:18 /etc/alternatives/jre/bin/java -jar -Dserver.port=8445 -Dlog4j2.formatMsgNoLookups=true -Dspring.config.additional-location=/opt/vmware/evorack-imaging/config/via.properties,/opt/vmware/evorack-imaging/config/via-db-ext.properties -Dserver.servlet.context-path=/via /opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar
root 9654 8756 32 15:07 ? 00:00:16 /etc/alternatives/jre/bin/java -jar -Dserver.port=8081 -Dlog4j2.formatMsgNoLookups=true -Dspring.config.additional-location=/opt/vmware/evorack-imaging/config/via-db-ext.properties /opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar
root 10087 4157 0 15:08 pts/0 00:00:00 grep --color=auto jar
Cloud Builder CVE-2021-45046のworkaround
Cloud BuilderにSSHで接続する
suコマンドでrootに昇格
admin@vcf-cb01 [ ~ ]$ su
imagingサービスを停止する
root@vcf-cb01 [ /home/admin ]# systemctl stop imaging
evorack-imaging-esxi-service jarの脆弱性の対処
テンポラリのディレクトリを作成する
root@vcf-cb01 [ /home/admin ]# mktemp -d -t log4j-XXXXXXXXXX
出力例
root@vcf-cb01 [ /home/admin ]# mktemp -d -t log4j-XXXXXXXXXX
/tmp/log4j-TChoNYNPvH
以下のコマンドを実行しlog4j-coreがjarファイルevorack-imaging-esxi-service-0.0.1-SNAPSHOT.jarに存在するかどうかを確認します。
root@vcf-cb01 [ /home/admin ]# zipinfo -1 "/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar" | grep log4j-core-*
出力例
root@vcf-cb01 [ /home/admin ]# zipinfo -1 "/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar" | grep log4j-core-*
BOOT-INF/lib/log4j-core-2.13.1.jar
mktempで作成したディレクトリのパスをコピーし、以下コマンドを実行します。
root@vcf-cb01 [ /home/admin ]# unzip "/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar" "BOOT-INF/lib/log4j-core-2.13.1.jar" -d "/tmp/log4j-TChoNYNPvH"
以下のコマンドを実行します。
root@vcf-cb01 [ /home/admin ]# zipinfo -l /tmp/log4j-TChoNYNPvH/BOOT-INF/lib/log4j-core-2.13.1.jar | grep -q "org/apache/logging/log4j/core/lookup/JndiLookup.class"
次に以下のコマンドを実行します。
root@vcf-cb01 [ /home/admin ]# echo $?
戻り値が1の場合は、これ以上の対処が不要なので、via.jarの対処に進む
戻り値が0の場合は、JndiLookup.classが存在するため、続けて以下コマンドを実行する必要があります。
root@vcf-cb01 [ /home/admin ]# zip -q -d "/tmp/log4j-TChoNYNPvH/BOOT-INF/lib/log4j-core-2.13.1.jar" "org/apache/logging/log4j/core/lookup/JndiLookup.class"
これにより、log4j-core-2.1.3.1.jarからJndiLookup.classファイルが削除されます。
変更したlog4j-coreでevorack-imaging jarを更新します。
root@vcf-cb01 [ /home/admin ]# cd "/tmp/log4j-TChoNYNPvH" && zip -ur -0 "/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar"
出力例
root@vcf-cb01 [ /home/admin ]# cd "/tmp/log4j-TChoNYNPvH" && zip -ur -0 "/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar"
updating: BOOT-INF/ (stored 0%)
updating: BOOT-INF/lib/ (stored 0%)
updating: BOOT-INF/lib/log4j-core-2.13.1.jar (stored 0%)
via.jarの脆弱性の対処
テンポラリのディレクトリを作成する
root@vcf-cb01 [ /home/admin ]# mktemp -d -t log4j-XXXXXXXXXX
出力例
root@vcf-cb01 [ /home/admin ]# mktemp -d -t log4j-XXXXXXXXXX
/tmp/log4j-ZjZ9Z0Itul
以下のコマンドを実行しlog4j-coreがvia.jarファイルに存在するかどうか確認します
root@vcf-cb01 [ /home/admin ]# zipinfo -1 "/opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar" | grep log4j-core-*
出力例
root@vcf-cb01 [ /home/admin ]# zipinfo -1 "/opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar" | grep log4j-core-*
BOOT-INF/lib/log4j-core-2.13.1.jar
mktempで作成したディレクトリのパスをコピーし、以下コマンドを実行します。
root@vcf-cb01 [ /home/admin ]# unzip "/opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar" "BOOT-INF/lib/log4j-core-2.13.1.jar" -d "/tmp/log4j-ZjZ9Z0Itul"
root@vcf-cb01 [ /home/admin ]# zipinfo -l /tmp/log4j-ZjZ9Z0Itul/BOOT-INF/lib/log4j-core-2.13.1.jar | grep -q "org/apache/logging/log4j/core/lookup/JndiLookup.class"
以下のコマンドを実行します。
root@vcf-cb01 [ /home/admin ]# echo $?
戻り値が1の場合は、これ以上の対処が不要なので、imaging serviceを起動する
戻り値が0の場合は、JndiLookup.classが存在するため、続けて以下コマンドを実行する必要があります。
root@vcf-cb01 [ /home/admin ]# zip -q -d "/tmp/log4j-ZjZ9Z0Itul/BOOT-INF/lib/log4j-core-2.13.1.jar" "org/apache/logging/log4j/core/lookup/JndiLookup.class"
これにより、log4j-core-2.1.3.1.jarからJndiLookup.classファイルが削除されます。
変更したlog4j-coreでvia.jarを更新します。
root@vcf-cb01 [ /home/admin ]# cd "/tmp/log4j-ZjZ9Z0Itul" && zip -ur -0 "/opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar"
出力例
root@vcf-cb01 [ /home/admin ]# cd "/tmp/log4j-ZjZ9Z0Itul" && zip -ur -0 "/opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar"
updating: BOOT-INF/ (stored 0%)
updating: BOOT-INF/lib/ (stored 0%)
updating: BOOT-INF/lib/log4j-core-2.13.1.jar (stored 0%)
imagingサービスを起動する
root@vcf-cb01 [ /tmp/log4j-ZjZ9Z0Itul ]# systemctl start imaging
スクリプトによる回避策の実行(VMware推奨)
本スクリプトはCVE-2021-44228とCVE-2021-45046に対処可能
既にCVE-2021-44228のworkaroundを実施済みでスクリプトを実行する事を推奨
KBに添付されている「log4j_via_v3.sh」というスクリプトファイルをダウンロードし、Cloud Builderの/home/adminディレクトリにコピーします。
Cloud BuilderにSSHで接続します
suコマンドでrootに昇格
admin@vcf-cb01 [ ~ ]$ su
以下のコマンドでスクリプトを実行します
出力例
root@vcf-cb01 [ /home/admin ]# bash log4j_via_v3.sh
» Starting to remediate log4j issue in imaging service.
» ---
» Stopping imaging service: [systemctl stop imaging]
» ---
» Stage 1 - Entering remediation stage.
» Step 1 - Remove JndiLookup class for CVE-2021-45046. Scanning if any of imaging jars [/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar /opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar] exist in system.
» Found imaging jar [/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar] that needs analysis for existence of JndiLookup class.
» Creating a working directory [/tmp/log4j-MxSOaIPnKF]
» Successfully created working directory [/tmp/log4j-MxSOaIPnKF] for updating [/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar]
» Looking for [log4j-core-*] in [/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar]
» Executing: [(zipinfo -1 /opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar | grep log4j-core-*) || exit 1]
» Extracting [BOOT-INF/lib/log4j-core-2.13.1.jar] from [/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar] to temp directory [/tmp/log4j-MxSOaIPnKF]
» Executing: [unzip /opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar BOOT-INF/lib/log4j-core-2.13.1.jar -d /tmp/log4j-MxSOaIPnKF || exit 1]
Archive: /opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar
extracting: /tmp/log4j-MxSOaIPnKF/BOOT-INF/lib/log4j-core-2.13.1.jar
» Scanning [/tmp/log4j-MxSOaIPnKF/BOOT-INF/lib/log4j-core-2.13.1.jar] to check if [org/apache/logging/log4j/core/lookup/JndiLookup.class] exists.
» Executing: [zipinfo -1 /tmp/log4j-MxSOaIPnKF/BOOT-INF/lib/log4j-core-2.13.1.jar | grep -q org/apache/logging/log4j/core/lookup/JndiLookup.class]
» Scanning completed. [/tmp/log4j-MxSOaIPnKF/BOOT-INF/lib/log4j-core-2.13.1.jar] does not have the affected class. No clean-up needed.
» Cleaning up working directory [/tmp/log4j-MxSOaIPnKF]
» Cleaned up working directory [/tmp/log4j-MxSOaIPnKF]
» ---
» Found imaging jar [/opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar] that needs analysis for existence of JndiLookup class.
» Creating a working directory [/tmp/log4j-sFS5k5n2D2]
» Successfully created working directory [/tmp/log4j-sFS5k5n2D2] for updating [/opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar]
» Looking for [log4j-core-*] in [/opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar]
» Executing: [(zipinfo -1 /opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar | grep log4j-core-*) || exit 1]
» Extracting [BOOT-INF/lib/log4j-core-2.13.1.jar] from [/opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar] to temp directory [/tmp/log4j-sFS5k5n2D2]
» Executing: [unzip /opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar BOOT-INF/lib/log4j-core-2.13.1.jar -d /tmp/log4j-sFS5k5n2D2 || exit 1]
Archive: /opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar
extracting: /tmp/log4j-sFS5k5n2D2/BOOT-INF/lib/log4j-core-2.13.1.jar
» Scanning [/tmp/log4j-sFS5k5n2D2/BOOT-INF/lib/log4j-core-2.13.1.jar] to check if [org/apache/logging/log4j/core/lookup/JndiLookup.class] exists.
» Executing: [zipinfo -1 /tmp/log4j-sFS5k5n2D2/BOOT-INF/lib/log4j-core-2.13.1.jar | grep -q org/apache/logging/log4j/core/lookup/JndiLookup.class]
» Scanning completed. [/tmp/log4j-sFS5k5n2D2/BOOT-INF/lib/log4j-core-2.13.1.jar] does not have the affected class. No clean-up needed.
» Cleaning up working directory [/tmp/log4j-sFS5k5n2D2]
» Cleaned up working directory [/tmp/log4j-sFS5k5n2D2]
» ---
» Remediation successful for CVE-2021-45046.
» Step 2 - Add flag [-Dlog4j2.formatMsgNoLookups=true] to imaging service start scripts for CVE-2021-44228.
» Check if backup of [/opt/vmware/evorack-imaging/imaging-util-scripts/start-parent-imaging-service.sh] exists
» Backup file already exists under /opt/vmware/evorack-imaging/imaging-util-scripts/start-parent-imaging-service.sh.orig
» File [/opt/vmware/evorack-imaging/imaging-util-scripts/start-parent-imaging-service.sh] already contains [-jar -Dserver.port=$VIA_SERVICE_PORT -Dlog4j2.formatMsgNoLookups=true]. No file updates necessary.
» Check if backup of [/opt/vmware/evorack-imaging/imaging-util-scripts/start-imaging-services.sh] exists.
» Backup file already exists under [/opt/vmware/evorack-imaging/imaging-util-scripts/start-imaging-services.sh.orig]
» File [/opt/vmware/evorack-imaging/imaging-util-scripts/start-imaging-services.sh] already contains [-jar -Dserver.port=$SECOND -Dlog4j2.formatMsgNoLookups=true]. No file updates necessary.
» Starting imaging service: systemctl start imaging
» ---
» Remediation successful for CVE-2021-44228.
» Stage 2 - Entering verification stage.
» Step 1 - Verification of remediation for CVE-2021-45046.
» Verifying classpath removal.
» Making sure JndiLookup class [org/apache/logging/log4j/core/lookup/JndiLookup.class] shouldn't exist in imaging jar [/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar]
» Creating a working directory [/tmp/log4j-qoy12HBnND]
» Successfully created working directory [/tmp/log4j-qoy12HBnND] for updating [/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar]
» Looking for [log4j-core-*] in [/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar]
» Executing: [(zipinfo -1 /opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar | grep log4j-core-*) || exit 1]
» Extracting [BOOT-INF/lib/log4j-core-2.13.1.jar] from [/opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar] to temp directory [/tmp/log4j-qoy12HBnND]
» Executing: [unzip /opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar BOOT-INF/lib/log4j-core-2.13.1.jar -d /tmp/log4j-qoy12HBnND || exit 1]
Archive: /opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar
extracting: /tmp/log4j-qoy12HBnND/BOOT-INF/lib/log4j-core-2.13.1.jar
» Scanning [/tmp/log4j-qoy12HBnND/BOOT-INF/lib/log4j-core-2.13.1.jar] to check if [org/apache/logging/log4j/core/lookup/JndiLookup.class] exists.
» Executing: [zipinfo -1 /tmp/log4j-qoy12HBnND/BOOT-INF/lib/log4j-core-2.13.1.jar | grep -q org/apache/logging/log4j/core/lookup/JndiLookup.class]
» ---
» Scanning completed.
» Verified [/tmp/log4j-qoy12HBnND/BOOT-INF/lib/log4j-core-2.13.1.jar] does not have the affected class.
» ---
» Cleaning up working directory [/tmp/log4j-qoy12HBnND]
» Cleaned up working directory [/tmp/log4j-qoy12HBnND]
» ---
» Making sure JndiLookup class [org/apache/logging/log4j/core/lookup/JndiLookup.class] shouldn't exist in imaging jar [/opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar]
» Creating a working directory [/tmp/log4j-eDdiOOpPJf]
» Successfully created working directory [/tmp/log4j-eDdiOOpPJf] for updating [/opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar]
» Looking for [log4j-core-*] in [/opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar]
» Executing: [(zipinfo -1 /opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar | grep log4j-core-*) || exit 1]
» Extracting [BOOT-INF/lib/log4j-core-2.13.1.jar] from [/opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar] to temp directory [/tmp/log4j-eDdiOOpPJf]
» Executing: [unzip /opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar BOOT-INF/lib/log4j-core-2.13.1.jar -d /tmp/log4j-eDdiOOpPJf || exit 1]
Archive: /opt/vmware/evorack-imaging/services/evorack-imaging-services/via.jar
extracting: /tmp/log4j-eDdiOOpPJf/BOOT-INF/lib/log4j-core-2.13.1.jar
» Scanning [/tmp/log4j-eDdiOOpPJf/BOOT-INF/lib/log4j-core-2.13.1.jar] to check if [org/apache/logging/log4j/core/lookup/JndiLookup.class] exists.
» Executing: [zipinfo -1 /tmp/log4j-eDdiOOpPJf/BOOT-INF/lib/log4j-core-2.13.1.jar | grep -q org/apache/logging/log4j/core/lookup/JndiLookup.class]
» ---
» Scanning completed.
» Verified [/tmp/log4j-eDdiOOpPJf/BOOT-INF/lib/log4j-core-2.13.1.jar] does not have the affected class.
» ---
» Cleaning up working directory [/tmp/log4j-eDdiOOpPJf]
» Cleaned up working directory [/tmp/log4j-eDdiOOpPJf]
» ---
» Verification steps for CVE-2021-45046 completed.
» Step 2 - Verification of remediation for CVE-2021-44228.
» Checking if imaging service is active.
» Executing: [systemctl status imaging || exit 1]
» Monitoring if imaging service is started.
» Imaging service started successfully.
» Checking if imaging jars are updated with [-Dlog4j2.formatMsgNoLookups=true]
» Executing: [ps -ef|grep jar || exit 1]
» Reading the output of the command [ps -ef | grep jar] line by line.
» Scanning if [via] or [evorack-imaging-esxi-service] services is in the following line:
» [root 15767 15736 0 04:21 ? 00:00:00 /etc/alternatives/jre/bin/java -jar -Dserver.port=8081 -Dlog4j2.formatMsgNoLookups=true -Dspring.config.additional-location=/opt/vmware/evorack-imaging/config/via-db-ext.properties /opt/vmware/evorack-imaging/services/evorack-imaging-services/evorack-imaging-esxi-service-0.0.1-SNAPSHOT.jar]
» Verifying the service has the flag [-Dlog4j2.formatMsgNoLookups=true]
» Verified flag [-Dlog4j2.formatMsgNoLookups=true] is present.
» Scanning if [via] or [evorack-imaging-esxi-service] services is in the following line:
» [root 15784 15782 0 04:21 pts/0 00:00:00 grep jar]
» Verification steps for CVE-2021-44228 completed.
» Completed script execution.
SDDC Manager
本回避策はVCF 3.x(VCF 3.10.2, 3.10.2.1と3.10.2.2を除く)と4.xのCloud Builderに適応可能です。
SDDC Managerにvcfユーザーで接続する。
suコマンドでrootに昇格
vcf@vcf-sddcmgr [ ~ ]$ su
以下のファイルを編集する前にバックアップを取得しておく
/usr/local/vip/bin/start-vip.sh
root@vcf-sddcmgr [ /home/vcf ]# cp /usr/local/vip/bin/start-vip.sh /usr/local/vip/bin/start-vip.sh.orig
/usr/local/vip/bin/start-vip.shを編集する
root@vcf-sddcmgr [ /home/vcf ]# vi /usr/local/vip/bin/start-vip.sh
Before
nohup $JAVA -jar -Dapp.log.home=/var/log/vmware/vip -server -XX:MaxMetaspaceSize=64m -XX:ParallelGCThreads=2 -Djava.compiler=NONE $1 --vipservice.cross.domain.alloworigin=$(hostname) --server.scheme=http --server.http.port=7900> $2 2>&1 &
After
nohup $JAVA -jar -Dapp.log.home=/var/log/vmware/vip -server -XX:MaxMetaspaceSize=64m -XX:ParallelGCThreads=2 -Djava.compiler=NONE -DLOG4J_FORMAT_MSG_NO_LOOKUPS=true $1 --vipservice.cross.domain.alloworigin=$(hostname) --server.scheme=http --server.http.port=7900> $2 2>&1 &
編集が完了したら、以下コマンドでサービスを再起動する
root@vcf-sddcmgr [ /home/vcf ]# systemctl restart vip-manager-i18n.service
以下コマンドを実行しVIP Manager Serviceが- DLOG4J_FORMAT_MSG_NO_LOOKUPS=trueオプションで実行されている事を確認します。
root@vcf-sddcmgr [ /home/vcf ]# systemctl status vip-manager-i18n.service
* vip-manager-i18n.service - VMware Internationalization Service
Loaded: loaded (/etc/systemd/system/vip-manager-i18n.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2021-12-24 06:14:20 UTC; 3min 13s ago
Process: 2664 ExecStop=/usr/local/vip/bin/init.sh stop (code=exited, status=0/SUCCESS)
Process: 2684 ExecStart=/usr/local/vip/bin/init.sh start (code=exited, status=0/SUCCESS)
Main PID: 2714 (java)
Tasks: 26 (limit: 19197)
Memory: 207.8M
CGroup: /system.slice/vip-manager-i18n.service
`-2714 /usr/bin/java -jar -Dapp.log.home=/var/log/vmware/vip -server -XX:MaxMetaspaceSize=64m -XX:ParallelGCThreads=2 -Djava.compiler=NONE -DLOG4J_FORMAT_MSG_NO_LOOKUPS=true /usr/local/vip/vip-...Dec 24 06:14:20 vcf-sddcmgr.vcf.local init.sh[2684]: start VIP service
Dec 24 06:14:20 vcf-sddcmgr.vcf.local init.sh[2684]: execute start function
Dec 24 06:14:20 vcf-sddcmgr.vcf.local init.sh[2684]: executing: /usr/local/vip/bin/start-vip.sh /usr/local/vip/vip-manager-i18n-common.jar /usr/local/vip/work/vip-runtime.log /usr/local/vip/work
Dec 24 06:14:20 vcf-sddcmgr.vcf.local init.sh[2684]: =====startup vip=====
Dec 24 06:14:20 vcf-sddcmgr.vcf.local init.sh[2684]: found java home: /etc/alternatives/jre
Dec 24 06:14:20 vcf-sddcmgr.vcf.local init.sh[2684]: run vip from: /usr/local/vip/vip-manager-i18n-common.jar
Dec 24 06:14:20 vcf-sddcmgr.vcf.local init.sh[2684]: log file: /var/log/vmware/vip/vip-runtime.log
Dec 24 06:14:20 vcf-sddcmgr.vcf.local init.sh[2684]: vip service is started!
Dec 24 06:14:20 vcf-sddcmgr.vcf.local init.sh[2684]: end of starting VIP service
Dec 24 06:14:20 vcf-sddcmgr.vcf.local systemd[1]: Started VMware Internationalization Service.
CVE-2021-45046のworkaround
本回避策はVCF 3.x(VCF 3.10.2, 3.10.2.1と3.10.2.2を除く)と4.xのCloud Builderに適応可能です。
vip manager i18nサービスを停止する
root@vcf-sddcmgr [ /home/vcf ]# systemctl stop vip-manager-i18n.service
vip-manager-i18n-common.jarの脆弱性の対処
テンポラリのディレクトリを作成する
root@vcf-sddcmgr [ /home/vcf ]# mktemp -d -t log4j-XXXXXXXXXX
出力例
root@vcf-sddcmgr [ /home/vcf ]# mktemp -d -t log4j-XXXXXXXXXX
/tmp/log4j-t01QRNHQSX
以下のコマンドを実行しlog4j-coreがvip-manager-i18n-common.jaファイルに存在するかどうか確認します
root@vcf-sddcmgr [ /home/vcf ]# zipinfo -1 "/usr/local/vip/vip-manager-i18n-common.jar" | grep log4j-core-*
出力例
root@vcf-sddcmgr [ /home/vcf ]# zipinfo -1 "/usr/local/vip/vip-manager-i18n-common.jar" | grep log4j-core-*
BOOT-INF/lib/log4j-core-2.13.3.jar
mktempで作成したディレクトリのパスをコピーし、以下コマンドを実行します。
root@vcf-sddcmgr [ /home/vcf ]# unzip "/usr/local/vip/vip-manager-i18n-common.jar" "BOOT-INF/lib/log4j-core-2.13.3.jar" -d "/tmp/log4j-t01QRNHQSX"
root@vcf-sddcmgr [ /home/vcf ]# zipinfo -1 /tmp/log4j-t01QRNHQSX/BOOT-INF/lib/log4j-core-2.13.3.jar | grep -q "org/apache/logging/log4j/core/lookup/JndiLookup.class"
以下のコマンドを実行します。
root@vcf-sddcmgr [ /home/vcf ]# echo $?
戻り値が1の場合は、これ以上の対処が不要なので、vip manager serviceの起動に進む
戻り値が0の場合は、JndiLookup.classが存在するため、続けて以下コマンドを実行する必要があります。
root@vcf-sddcmgr [ /home/vcf ]# zip -q -d "/tmp/log4j-t01QRNHQSX/BOOT-INF/lib/log4j-core-2.13.3.jar" "org/apache/logging/log4j/core/lookup/JndiLookup.class"
これにより、log4j-core-2.13.3.jarからJndiLookup.classファイルが削除されます。
変更したlog4j-coreでvia.jarを更新します。
root@vcf-sddcmgr [ /home/vcf ]# cd "/tmp/log4j-t01QRNHQSX/" && zip -ur -0
出力例
root@vcf-sddcmgr [ /home/vcf ]# cd "/tmp/log4j-t01QRNHQSX/" && zip -ur -0 "/usr/local/vip/vip-manager-i18n-common.jar"
updating: BOOT-INF/ (stored 0%)
updating: BOOT-INF/lib/ (stored 0%)
updating: BOOT-INF/lib/log4j-core-2.13.3.jar (stored 0%)
vip manager i18nサービスを起動します。
root@vcf-sddcmgr [ /tmp/log4j-t01QRNHQSX ]# systemctl start vip-manager-i18n.service
スクリプトによる回避策の実行(VMware推奨)
本スクリプトはCVE-2021-44228とCVE-2021-45046に対処可能
既にCVE-2021-44228のworkaroundを実施済みでスクリプトを実行する事を推奨
KBに添付されている「 log4j_vip_v3」というスクリプトファイルをダウンロードし、SDDC Managerの/home/vcf ディレクトリにコピーします。
SDDC ManagerにSSHで接続します
suコマンドでrootに昇格
vcf@vcf-sddcmgr [ ~ ]$ su
以下のコマンドでスクリプトを実行します
出力例
root@vcf-sddcmgr [ /home/vcf ]# bash log4j_vip_v3.sh
» Starting to remediate log4j issue in VIP service
» ---
» Stopping VIP service: [systemctl stop vip-manager-i18n.service]
» ---
» Step 1 - Scanning if any of VIP jars [/usr/local/vip/vip-manager-i18n-common.jar /usr/local/vip/vip-manager-i18n-lite-master.0.0.276.jar] exist in system
» Found VIP jar [/usr/local/vip/vip-manager-i18n-common.jar] that needs analysis for existence of JndiLookup class
» Creating a working directory [/tmp/log4j-Q952zriuhN]
» Successfully created working directory [/tmp/log4j-Q952zriuhN] for updating [/usr/local/vip/vip-manager-i18n-common.jar]
» Looking for [log4j-core-*] in [/usr/local/vip/vip-manager-i18n-common.jar]
» Executing: [(zipinfo -1 /usr/local/vip/vip-manager-i18n-common.jar | grep log4j-core-*) || exit 1]
» Extracting [BOOT-INF/lib/log4j-core-2.13.3.jar] from [/usr/local/vip/vip-manager-i18n-common.jar] to temp directory [/tmp/log4j-Q952zriuhN]
» Executing: [unzip /usr/local/vip/vip-manager-i18n-common.jar BOOT-INF/lib/log4j-core-2.13.3.jar -d /tmp/log4j-Q952zriuhN || exit 1]
Archive: /usr/local/vip/vip-manager-i18n-common.jar
extracting: /tmp/log4j-Q952zriuhN/BOOT-INF/lib/log4j-core-2.13.3.jar
» Scanning [/tmp/log4j-Q952zriuhN/BOOT-INF/lib/log4j-core-2.13.3.jar] to check if [org/apache/logging/log4j/core/lookup/JndiLookup.class] exists
» Executing: [zipinfo -1 /tmp/log4j-Q952zriuhN/BOOT-INF/lib/log4j-core-2.13.3.jar | grep -q org/apache/logging/log4j/core/lookup/JndiLookup.class]
» Scanning completed. [/tmp/log4j-Q952zriuhN/BOOT-INF/lib/log4j-core-2.13.3.jar] does not have the affected class. No clean-up needed.
» Cleaning up working directory [/tmp/log4j-Q952zriuhN]
» Cleaned up working directory [/tmp/log4j-Q952zriuhN]
» ---
» Step 2 - Update flag [DLOG4J_FORMAT_MSG_NO_LOOKUPS=true] in VIP service start script
» Checking if flag [DLOG4J_FORMAT_MSG_NO_LOOKUPS=true] is set in [/usr/local/vip/bin/start-vip.sh] already
» Executing: [grep -q DLOG4J_FORMAT_MSG_NO_LOOKUPS=true /usr/local/vip/bin/start-vip.sh]
» Flag [DLOG4J_FORMAT_MSG_NO_LOOKUPS=true] is already set in VIP service start file [/usr/local/vip/bin/start-vip.sh]. No further action needed...
» ---
» Starting VIP service: systemctl start vip-manager-i18n.service
» ---
» Step 3 - Entering verification stage
» Verifying classpath removal
» Verifying JndiLookup class [org/apache/logging/log4j/core/lookup/JndiLookup.class] doesn't exist in VIP jar [/usr/local/vip/vip-manager-i18n-common.jar]
» Creating a working directory [/tmp/log4j-YYgTDfZNXJ]
» Successfully created working directory [/tmp/log4j-YYgTDfZNXJ] for updating [/usr/local/vip/vip-manager-i18n-common.jar]
» Looking for [log4j-core-*] in [/usr/local/vip/vip-manager-i18n-common.jar]
» Executing: [(zipinfo -1 /usr/local/vip/vip-manager-i18n-common.jar | grep log4j-core-*) || exit 1]
» Extracting [BOOT-INF/lib/log4j-core-2.13.3.jar] from [/usr/local/vip/vip-manager-i18n-common.jar] to temp directory [/tmp/log4j-YYgTDfZNXJ]
» Executing: [unzip /usr/local/vip/vip-manager-i18n-common.jar BOOT-INF/lib/log4j-core-2.13.3.jar -d /tmp/log4j-YYgTDfZNXJ || exit 1]
Archive: /usr/local/vip/vip-manager-i18n-common.jar
extracting: /tmp/log4j-YYgTDfZNXJ/BOOT-INF/lib/log4j-core-2.13.3.jar
» Scanning [/tmp/log4j-YYgTDfZNXJ/BOOT-INF/lib/log4j-core-2.13.3.jar] to check if [org/apache/logging/log4j/core/lookup/JndiLookup.class] exists
» Executing: [zipinfo -1 /tmp/log4j-YYgTDfZNXJ/BOOT-INF/lib/log4j-core-2.13.3.jar | grep -q org/apache/logging/log4j/core/lookup/JndiLookup.class]
» ---
» Scanning completed.
» Verified [/tmp/log4j-YYgTDfZNXJ/BOOT-INF/lib/log4j-core-2.13.3.jar] does not have the affected class.
» ---
» Cleaning up working directory [/tmp/log4j-YYgTDfZNXJ]
» Cleaned up working directory [/tmp/log4j-YYgTDfZNXJ]
» ---
» Verifying [LOG4J_FORMAT_MSG_NO_LOOKUPS=true] is updated in VIP start script
» Executing: [ps -ef | grep /vip/vip-manager-i18n | grep 'DLOG4J_FORMAT_MSG_NO_LOOKUPS=true']
vcf_vip 3750 1 0 06:50 ? 00:00:00 /usr/bin/java -jar -Dapp.log.home=/var/log/vmware/vip -server -XX:MaxMetaspaceSize=64m -XX:ParallelGCThreads=2 -Djava.compiler=NONE -DLOG4J_FORMAT_MSG_NO_LOOKUPS=true /usr/local/vip/vip-manager-i18n-common.jar --vipservice.cross.domain.alloworigin=vcf-sddcmgr.vcf.local --server.scheme=http --server.http.port=7900
» ---
» Verified [LOG4J_FORMAT_MSG_NO_LOOKUPS=true] is updated in VIP start script successfully
» Remediation successful for CVE-2021-44228
» ---
» Script run completed.
その他のVCFコンポーネントの対応については、KB 87095を参照してください。
以上です。