The log3j vulnerability in an Apache Java component is one of the more serious and widespread software/security flaws to be identified in some time… although, it does seem like that’s said every few months. Basically, the flaw is triggered when a specific string is sent to the logging module. This string can be used to trigger a lookup on a remote server, returning a Java script that is then injected into the process. This then lets the attacker execute commands at the same privilege level as the application using the logging library. In short, it allows for remote code execution, and complete control by an attacker.
I had a number of ESXi 6.5 servers that needed to be patched. Fortunately, VMWare has a Python script that can be used for automated remediation.
- Enable SSH login on the VCenter appliance:
Browse to https://vcenterappliance:5480/, then chooseAccess > Edit > Enable SSH login. - Download the current Python script from VMWare:
Workaround instructions to address CVE-2021-44228 and CVE-2021-45046 in vCenter Server and vCenter Cloud Gateway (87081) - Launch Kitty, or your SSH application of choice. Connect to your VCenter appliance and load the shell:
login as: root Pre-authentication banner message from server: | VMware vCenter Server Appliance 6.5.0.35000 | | Type: vCenter Server with an embedded Platform Services Controller End of banner message from server Keyboard-interactive authentication prompts from server: | Password: End of keyboard-interactive prompts from server Connected to service * List APIS: "help api list" * List Plugins: "help pi list" * Launch BASH: "shell" Command> shell Shell access is granted to root root@servername [ ~ ]# - Create a new file in VI. Press
Ifor Insert mode, then paste in the script contents that were downloaded from VMWare by right-clicking in the terminal. After the paste is complete, pressESC, then:wqto save the file and quit VI. I also validate the size of the new file:root@servername [ ~ ]# vi /tmp/vmsa-2021-0028-kb87081.py root@servername [ ~ ]# ls /tmp/vmsa* -l -rw-r--r-- 1 root root 44290 Dec 21 20:43 /tmp/vmsa-2021-0028-kb87081.py root@servername [ ~ ]# - Run the script with the command
python /tmp/vmsa-2021-0028-kb87081.py:root@servername [ ~ ]# python /tmp/vmsa-2021-0028-kb87081.py 2021-12-21T20:45:37 INFO main: Script version: 1.6.0 2021-12-21T20:45:37 INFO main: VCenter type: Version: 6.5.0.35000; Build: 179949 27; Deployment type: embedded; Gateway: False; VCHA: False; Windows: False; A service stop and start is required to complete this operation. Continue? [y] y 2021-12-21T20:45:44 INFO Stop: stopping services - The script will run for some time. After it’s complete, review the output to make sure it completed successfully.
- For my own sanity, I run the script a second time with the
-rflag in order to validate the results:root@servername [ ~ ] python /tmp/vmsa-2021-0028-ib87081.py -r 2021-12-21T20:55:17 INFO main: Script version: 1.6.0 2021-12-21T20:55:17 INFO main: vCenter type: Version: 6.5.0.35000: Build: 17994927: Deployment type: embedded: Ga teway: False: VCHA: False: Windows: False: 2021-12-21T20:55:17 INFO main: Running in dryrun mode. 2021-12-21T20:56:01 INFO print_summary: Summary No vulnerable files found! Total found: 0 Log file: /var/log/vmsa-2021-0028_2021_12_21_20_55_17.log 2021-12-21T20:56:01 INFO main: Done. ROOT@servername [ ~ ]:
References
The articles I referenced when figuring this out were:
Workaround instructions to address CVE-2021-44228 and CVE-2021-45046 in vCenter Server and vCenter Cloud Gateway (87081)