Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
CVE-2021-44228 and CVE-2021-45046 have been determined to impact VMware Unified Access Gateway via the Apache Log4j open source component it ships. This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing: CVE-2021-44228 & CVE-2021-45046 - VMSA-2021-0028
The vulnerability applies to all versions of Unified Access Gateway appliance up to and including UAG version 2111 when configured for RADIUS or RSA SecurID authentication when used with the Horizon edge service or Web Reverse Proxy edge service. The vulnerability can potentially allow remote code execution on Unified Access Gateway by the low privilege non-root "gateway" user. As far as we know, UAG appliances configured for SAML, Certificate or passthrough authentication are not affected.As far as we know, all Unified Access Gateway appliance versions using Workspace ONE UEM Tunnel, Content Gateway or Secure Email Gateway edge services are also not affected.
CVE-2021-44228 & CVE-2021-45046 vulnerabilities have been resolved in Unified Access Gateway version 2111.1 and newer. This new version uses Apache log4j-core version 2.16.0 which includes a fix for both vulnerabilities. Refer to the VMware Unified Access Gateway Release Notes for 2111.1 for further details of this update. https://docs.vmware.com/en/Unified-Access-Gateway/2111.1/rn/unified-access-gateway-21111-release-notes/index.htmlVMware recommends that if the risk applies based on the Impact/Risk description above, then customers should upgrade to Unified Access Gateway version 2111.1 or newer as soon as possible to remediate CVE-2021-44228 and CVE-2021-45046.The workaround described below is meant to be a temporary solution only, prior to upgrading to version 2111.1. The workaround can be applied to any Unified Access Gateway version between 3.3 and 2111. If a version older than 3.3 is still in use, then the recommendation is to upgrade it to version 2111.1 or newer.
A workaround is available for UAG versions 3.3 through to 2111 inclusive. The instructions vary depending on the version of UAG. If you are running an older version than 3.3, you must upgrade to UAG version 2106.2 or 2111 first, before applying this workaround. On December 14, 2021 the Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 workarounds was not sufficient. We believed the previous instructions in this article to be an effective mitigation for CVE-2021-44228, but in the best interest of our customers we must assume the earlier workaround may not adequately address all attack vectors. We have updated the workaround instructions in this Knowledge Base article with revised guidance to remove all JndiLookup classes per Apache Software Foundation guidance. ATTEMPTING TO APPLY THIS WORKAROUND TO VERSIONS OLDER THAN UAG 3.3 MAY NOT WORK SO THEY SHOULD BE UPGRADED.If previous workaround guidance was followed involving the -Dlog4j2.formatMsgNoLookups=true setting, there is no need to revert that change but the updated workaround instructions below still need to be followed. Workaround instructions for UAG versions 3.3 to 2111 inclusive There are two options for applying a temporary workaround to mitigate this issue. There is a scripted method using a uag_rm_jndilookup.sh script and this is the recommended approach. For cases where scripted mitigation is not possible, there is an alternative manual method involving a set of commands run from the UAG console. Both workarounds are detailed here. Scripted Method (Preferred)To apply the workaround for CVE-2021-44228 and CVE-2021-45046 to Unified Access Gateway version 3.3 through to 2111 using the scripted method, perform the following steps: Download and copy the script uag_rm_log4j_jndilookup.sh that is attached to this KB into UAG applianceSSH into UAG console as root user and cd to the directory in which the above script is located.Set executable permission for the above script. chmod +x uag_rm_log4j_jndilookup.sh Run the script to remove all the occurrences of log4j's JndiLookup.class ./uag_rm_log4j_jndilookup.sh If the UAG version is between 2009 and 2111 it is also necessary to set the -Dlog4j2.formatMsgNoLookups=true option on the authbroker service with the following commands. Note the space between "s/java /java" and a space after "true /" in the command, these are important to ensure the command works correctly and doesn't attempt to modify the wrong lines in the configuration file. sed -i 's/java /java -Dlog4j2.formatMsgNoLookups=true /' /opt/vmware/gateway/supervisor/conf/authbroker.ini supervisorctl update If step 5 was done, verify that the new setting has taken affect by running the following command and checking that the process command parameters include -Dlog4j2.formatMsgNoLookups=true: ps -ef | grep ab-frontend Command Method To apply the workaround for CVE-2021-44228 and CVE-2021-45046 to Unified Access Gateway version 3.3 through to 2111 using a set of commands, perform the following steps: 1. Log into the Unified Access Gateway console as root. This can be using ssh or directly to the Unified Access Gateway console.2. Run the following command to list occurrences of the JndiLookup.class find / -type f \( -name "*.jar" -o -name *.war \) -exec sh -c "zipinfo -1 {} 2>/dev/null | grep 'JndiLookup.class' && echo [+]{}" \; 3. Remove the vulnerable JndiLookup.class from the Java ab-frontend-0.2.jar file mkdir -p /tmp/fix-jar unzip -q -o /opt/vmware/gateway/lib/ab-frontend-0.2.jar -d /tmp/fix-jar unzip -q -o /tmp/fix-jar/hc.war -d /tmp/fix-jar/hc zip -dq /tmp/fix-jar/hc/WEB-INF/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class rm /tmp/fix-jar/hc.war (cd /tmp/fix-jar/hc && zip -r -q /tmp/fix-jar/hc.war .) rm -rf /tmp/fix-jar/hc (cd /tmp/fix-jar && zip -r -q ab-frontend-0.2.jar . && chown gateway:users ab-frontend-0.2.jar) mv /tmp/fix-jar/ab-frontend-0.2.jar /opt/vmware/gateway/lib 4. Remove the vulnerable JndiLookup.class from other .jar files find / -type f \( -name "*.jar" -o -name *.war \) -exec sh -c "zipinfo -1 {} 2>/dev/null | grep 'JndiLookup.class' && echo {}" \; | grep .jar | while read -r line ; do jar_path=$line zip -dq $jar_path org/apache/logging/log4j/core/lookup/JndiLookup.class chown gateway:users $jar_path done 5. Re-run the command from step 2 again to list occurrences of the JndiLookup.class. This time, there should be no refences so the list will not be shown. find / -type f \( -name "*.jar" -o -name *.war \) -exec sh -c "zipinfo -1 {} 2>/dev/null | grep 'JndiLookup.class' && echo [+]{}" \; 6. If the UAG version is between 2009 and 2111 it is also necessary to set the -Dlog4j2.formatMsgNoLookups=true option on the authbroker service with the following command. Note the space between "s/java /java" and a space after "true /" in the command, these are important to ensure the command works correctly and doesn't attempt to modify the wrong lines in the configuration file. sed -i 's/java /java -Dlog4j2.formatMsgNoLookups=true /' /opt/vmware/gateway/supervisor/conf/authbroker.ini 7. Restart the authbroker service. supervisorctl restart authbroker 8. If step 6 was done, verify that the new setting has taken affect by running the following command and checking that the process command parameters include -Dlog4j2.formatMsgNoLookups=true. ps -ef | grep ab-frontend
Change Log December 17th 2021: Updated to recommend deploying the fixed UAG 2111.1 version and to revise the workaround instructions from the previous Apache guidance involving -Dlog4j2.formatMsgNoLookups to the newer guidance of removing JndiLookup.class.December 18th 2021: Syntax update, removed leading slash from chmod command.