Log4J Workarounds for VCF

By now, I’m sure you’ve heard about the latest security vulnerability with Log4J. This is certainly something that you should address immediately! Today I’ll quickly cover what the vulnerability is and how you can address the issue within a VMware Cloud Foundation environment…

The Log4J vulnerability is also known as Log4Shell, LogJam, or by its more formal name of CVE-2021-44228. This vulnerability focuses on an open-source library called Log4J.

Apache Log4J is a logging framework for Java. It’s used by countless products to provide a method for logging important information, such as security or performance information. Exploiting this vulnerability takes advantage of what is known as improper input validation. This is an issue where a user can provide input into a system and that system does not or cannot restrict how that input is handled. For example, inputting information like ‘%X’ on some systems may cause the system to interpret that as a control or formatting code.

You might ask, “Why would this matter with a simple logging framework?”. The answer lies with a capability that Log4J has called lookups. According to the Apache.org documentation, this feature provides the ability to add values to the Log4J configuration at arbitrary places. This means that something sending a log message to the system can define the data formatting and the contents of the log message.

Adding to this, is the Java Naming and Directory Interface or JNDI for short. This is a feature of the Java runtime that provides an ability to lookup information. By calling this through the Log4J lookups feature, an attacker can do any number of things – from establishing a remote connection to another machine to transferring some Java code to your system and executing it.

Obviously, this is a bad thing. So bad in fact, that it has been given a Common Vulnerability Scoring System (CVSS) severity score of 10 out of 10! An update was provided to attempt to fix it, however that fix was incomplete, leading to another vulnerability called CVE-2021-45046.

At this time, there are several exploits in the wild and companies have identified several attacks. This is certainly something you should be addressing immediately!

Now that you know what it is, how do you protect against it?

For VMware Cloud Foundation (VCF), you will want to reference this KB Article. This article proves step-by-step instructions on how to work around the affected components. There is even a script that is provided to assist you.

However, this only covers VCF. As VCF contains several other products, you need to make sure that you address each of those as well. Luckily, the VCF KB Article has links at the bottom for workarounds of all the relevant products.

Lastly, you need to check any applications that you have installed in the environment. As widespread as Log4J is used, even simple applications may be impacted by it. You should refer to the CISA web page on the Log4J vulnerability for more guidance.

Be safe and get patching!