Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
CVE-2021-44228 has been determined to impact Workspace ONE Access Connector and VMware Identity Manager Connector via the Apache Log4j open source component it ships. This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing: CVE-2021-44228 – VMSA-2021-0028
Possible compromise due to crafted API calls List of affected versions 21.08.0.1 - VMware Workspace ONE Access Connector21.08 - VMware Workspace ONE Access Connector20.10 - VMware Workspace ONE Access Connector19.03.0.1 - VMware Identity Manager Connector
The workarounds described in this document are meant to be a temporary solution only. Upgrades documented in the aforementioned advisory should be applied to remediate CVE-2021-44228 when available.
NOTE: It is recommended to upgrade instances of unsupported versions to newer, supported versions first before applying the workaround. This procedure may not work for older unsupported versions. Please refer to the VMware Lifecycle Matrix for a list supported versions of the product.It is highly recommended to take a snapshot and/or backup of the appliance(s) and the database server before proceeding. For each enterprise services installation : User Auth Service Directory Sync Service Kerberos Auth Service Virtual App Service (applicable for 21.08 onwards) Please follow the instructions as detailed below. Directory Sync Service 1. Go to the folder <INSTALL_DIRECTORY>\Workspace ONE Access\Directory Sync Service 2. Open the file DirectorySyncService.xml 3. Find the following configuration line: <argument>-Dlog4j2.debug</argument> Under that line insert the following configuration: <argument>-Dlog4j2.formatMsgNoLookups=true</argument> 4. Restart the "VMware Directory Sync Service" from the Windows Services application. User Auth Service 1. Go to the folder <INSTALL_DIRECTORY>\Workspace ONE Access\User Auth Service 2. Open the file UserAuthService.xml 3. Find the following configuration line: <argument>-Dlog4j2.debug</argument> Under that line insert the following configuration: <argument>-Dlog4j2.formatMsgNoLookups=true</argument> 4. Restart the "VMware User Auth Service" from the Windows Services application. Kerberos Auth Service 1. Go to the folder <INSTALL_DIRECTORY>\Workspace ONE Access\Kerberos Auth Service 2. Open the file KerberosAuthService.xml 3. Find the following configuration line: <argument>-Dlog4j2.debug</argument> Under that line insert the following configuration: <argument>-Dlog4j2.formatMsgNoLookups=true</argument> 4. Restart the "VMware Kerberos Auth Service" from the Windows Services application. Virtual App Service 1. Go to the folder <INSTALL_DIRECTORY>\Workspace ONE Access\Virtual App Service 2. Open the file VirtualAppService.xml 3. Find the following configuration line: <argument>-Dlog4j2.debug</argument> Under that line insert the following configuration: <argument>-Dlog4j2.formatMsgNoLookups=true</argument> 4. Restart the "VMware Virtual App Service" from the Windows Services application. For legacy connector version 19.03.0.1 For each server where the "VMware IDM Connector Service" is installed, please follow the instructions as detailed below 1. Go to the folder <INSTALL_DIR>:\VMware\VMwareIdentityManager\Connector\opt\vmware\horizon\workspace\bin 2. Open the file setenv.bat 3. Find the "set JVM_OPTS" section, and Find the following configuration line: -Djava.util.logging.config.file="%TOMCAT_INSTANCE%\conf\logging.properties" ^ Under that line insert the following configuration: -Dlog4j2.formatMsgNoLookups=true ^ 4. Open the command prompt and navigate to the folder <INSTALL_DIR>:\VMware\VMwareIdentityManager\Connector\usr\local\horizon\scripts 5. Run the following commands in sequence a. horizonService.bat update followed by b. horizonService.bat restart Important Note: Step 5 is must for the changes to reflect. Restarting the "VMware IDM Connector Service" through the Services panel is not enough.
To revert the CVE-2021-44228 workaround, you can revert to the snapshot taken before applying these steps Change Log:December 11th 2021 3:05AM PST: First version published of WorkaroundDecember 14th 2021 9:50AM PST: Added link to Lifecycle Matrix