/vcenter-log4j

Script to apply official workaround for VMware vCenter log4j vulnerability CVE-2021-44228

Primary LanguageShellMIT LicenseMIT

VMware vCenter log4j workaround

Script to workaround VMware vCenter log4j vulnerability CVE-2021-44228, as per the VMware KB article.

2021-12-13 02:09 UTC - Added Secure Token & Identity Management services

2021-12-13 12:46 UTC - Added PSC Client for 6.5 - see below

VMware have released a python script linked on the KB article. The initial teething problems with their version seem to have been resolved.

Quick and dirty

And you're done.

What it does

  • Automatically detects the version and required steps
  • Backs up existing files to .bak files
  • Applies the workarounds recommended by VMware
  • Skips any steps that are already applied
  • Reports status as it goes
  • Provides a summary at the end - verification is more accurate / granular than the KB steps

If you don't like quick and dirty..

Apply workarounds and verify

cve-workaround

Run verification only

cve-workaround -v

Rollback - very basic, copies the .bak files over the patched files, restarts the services, and prints status messages.

cve-workaround -rollback

PSC Client Service for 6.5 - thank you to Power-Wagon on reddit for verifying

cve-workaround -sprayandpray65

Notes

Detects version and applies the relevant workarounds. Skips and reports per workaround step, if it thinks that workaround has been applied (safe to re-execute).

Services not starting / permissions fix

During my own testing - apply, rollback, re-re-re-apply - I ran across some issues with permissions on 6.7, which prevented some vCenter services from starting (and I still can't find any evidence of an actual error message being logged). Should you experience similar behaviour, this is the hammer I have been using to beat things into submission.

chmod 754 /usr/lib/vmware-vmon/java-wrapper-vmon
chown root:cis /usr/lib/vmware-vmon/java-wrapper-vmon
chmod 644 /usr/lib/vmware-updatemgr/bin/jetty/start.ini
chown updatemgr:updatemgr /usr/lib/vmware-updatemgr/bin/jetty/start.ini
chmod 440 /usr/lib/vmware/common-jars/log4j-core-2.8.2.jar
chown root:cis /usr/lib/vmware/common-jars/log4j-core-2.8.2.jar
chmod 755 /usr/lib/vmware-cm/lib/log4j-core.jar
chown cm:cis /usr/lib/vmware-cm/lib/log4j-core.jar

Happy to hear any bugs / issues.