Workaround instructions to address CVE-2021-44228 in Site Recovery Manager

As we are still waiting for patch to be released, here is a workaround provided by VMware which need to be applied to Site Recovery Manager.

Run list:

  1. Make sure SSH access is enabled (appliance at 8.3 or newer)
    • Login to SRM Appliance Manager Interface as admin
    • Click ACCESS
    • In the SSH pane, click Enable
  1. Download script : disable_log4j_srm.bashNOTE: this is script provided by VMware and links directs to VMware repository
  2. Copy disable_log4j_srm.bash to /root vis SCP

NOTE: if you will get error about permission, copy file to /tmp folder. After SSH and change to root you can copy that file from /tmp to /root

  1. Log in to the Site Recovery Manager Virtual Appliance via ssh as the admin user.
  2. Change to root by typing: su
  1. Stop all Java services by running those commands:
systemctl stop dr-client.service
systemctl stop drconfigui.service
systemctl stop dr-configurator.service
  1. Run this command to make a script executable:
chmod +x /root/disable_log4j_srm.bash
  1. Run the script:
/root/disable_log4j_srm.bash

NOTE: You might see the following message for each log4j-core-*-sources.jar zip “JndiLookup.class not found in /path/to/log4j-core-2.13.3-sources.jar”. This is expected behavior and safe to ignore, as the workaround is not needed
If you see a warning message, manual verification of the file and its contents are needed.

  1. Restart all Java services:
systemctl start dr-client.service
systemctl start drconfigui.service
systemctl start dr-configurator.service
  1. Verify that the vulnerable jars are mitigated successfully:
grep -R 'JndiLookup.class' /opt/vmware/
grep -R 'JndiLookup.class' /var/opt/apache-tomcat/

NOTE Those commands should not to return any results. If it does please return to step 1 and re-run the workaround.

  1. Verify the environmental variables have been properly set (all in one line):
for pid in $( ps ax  | grep java | grep -v grep | awk '{print $1}' ); do cat /proc/$pid/environ |tr '\0' '\n' | grep "LOG4J_FORMAT_MSG_NO_LOOKUPS"; done

NOTE: expected output multiple lines of  “LOG4J_FORMAT_MSG_NO_LOOKUPS=true”

Source: https://kb.vmware.com/s/article/87123

Please like and share to spread the knowledge in the community.

If you want to chat with me please use Twitter: @AngrySysOps

Visit my FB page: https://www.facebook.com/AngrySysOps

Read my blog: https://angrysysops.com

Subscribe to my channel : https://www.youtube.com/channel/UCRTcKGl0neismSRpDMK_M4A

Please leave the comment