[ vrslcm security cve ]

vRSLCM Log4j

vRealize Suite Lifecycle Manager 8.x leverages Log4j in its server and blackstone spring jar’s, and so with the recent vulnerability noted in CVE-2021-44228 - VMSA-2021-0028 we need to patch the affected files.

During the process the vRSLCM and Blackstone jar’s will be backed up, replaced and services restarted.

Active Requests

Since we will be restarting the vRSLCM and Blackstone service’s, ensure there are no active lifecycle operation or content management requests

Snapshots for safety

As always, prior to applying any patch it is recommended to ensure there are adequate backups and snapshots!

Download the fix

To begin we need to first download the log4jfix patch in the KB’s Attachment’s box, and copied to the appliance, over SCP, into the /tmp directory

SSH to the vRSLCM appliance

SSH to the vRSLCM appliance and change the directory to tmp

[email protected] [ ~ ]# cd /tmp

Set permissions on the script, so it may be executed

Use chmod to set the log4jfix script permissions, so it may be executed

[email protected] [ /tmp ]# chmod +x log4jfix.sh

Confirm permissions are set successfully

[email protected] [ /tmp ]# ls -lah log4jfix.sh
-rwx------ 1 root root 339 Dec 12 19:29 /tmp/log4jfix.sh

Apply the patch

[email protected] [ /tmp/ ]# ./log4jfix.sh

Applying the patch to vRSLCM 8.6 took a few minuets to complete in my environment.

To see the output of applying the patch, I have captured the console output here. Log4jfix output log

Additional Information

This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA)

VMSA-2021-0028



DISCLAIMER This is a personal blog. Any views or opinions represented in this blog are personal and belong solely to the blog owner and do not represent those of people, institutions or organizations that the owner may or may not be associated with in professional or personal capacity, unless explicitly stated. Any views or opinions are not intended to malign any religion, ethnic group, club, organization, company, or individual.
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.
Photos
Unless stated, all photos are the work of the blog owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. If used with watermark, no need to credit to the blog owner. For any edit to photos, including cropping, please contact me first.
Recipes
Unless stated, all recipes are the work of the blog owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. Please credit all recipes to the blog owner and link back to the original blog post.
Downloadable Files
Any downloadable file, including but not limited to pdfs, docs, jpegs, pngs, is provided at the user’s own risk. The owner will not be liable for any losses, injuries, or damages resulting from a corrupted or damaged file.
Comments
Comments are welcome. However, the blog owner reserves the right to edit or delete any comments submitted to this blog without notice due to
– Comments deemed to be spam or questionable spam
– Comments including profanity
– Comments containing language or concepts that could be deemed offensive
– Comments containing hate speech, credible threats, or direct attacks on an individual or group
The blog owner is not responsible for the content in comments.
This policy is subject to change at anytime. disclamer c/o http://kaloferov.com/