-Dlog4j2.formatMsgNoLookups=true” or “class JndiLookup” is not valid workaround anymore!

It looks like to workaround published by VMware is not valid anymore!

On December 9, 2021 VMware released VMSA-2021-0028 to track the impact of an Apache Software Foundation security advisory for their extremely popular Log4j Java logging component on VMware products and services. An updated workaround for CVE-2021-44228, as well as guidance on a second vulnerability, CVE-2021-45046 was released by the Apache Software Foundation on December 14, 2021, 2230 PST. These advisories outline critical remote code execution vulnerabilities in the Log4j component, scoring 10 of 10 on the Common Vulnerability Scoring System (CVSS) for all affected VMware products.

VMware is expecting to publish update at  December 15, 2021, 0930 PST (UTC-7).

In meantime the workaround for vRNI has been published:

The Workaround instructions to address CVE-2021-44228/CVE-2021-45046 in vRNI On-Prem installations (87135) – https://kb.vmware.com/s/article/87135 has been updated.

The KB includes a script which removes the JndiLookup class from the classpath as per Apache Software Foundation guidance.

VMware expects to fully address both CVE-2021-44228 and CVE-2021-45046 by updating log4j to version 2.16 in forthcoming releases of vRealize Network Insight, as outlined by software support policies. 

Please like and share to spread the knowledge in the community.

If you want to chat with me please use Twitter: @AngrySysOps

Visit my FB page: https://www.facebook.com/AngrySysOps

Read my blog: https://angrysysops.com

Subscribe to my channel : https://www.youtube.com/channel/UCRTcKGl0neismSRpDMK_M4A

Please leave the comment