VMware Provides Workaround for Log4j Vulnerabilities in vRealize Automation and vRealize Orchestrator

VMware has released a temporary workaround for the recently discovered Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046) affecting vRealize Automation 8.0 through 8.6.1 and vRealize Orchestrator 8.1 through 8.6.1. The workaround is available in KB87120 and provides a solution for affected customers until the next scheduled release of vRealize Automation and vRealize Orchestrator.

The temporary workaround involves creating simultaneous VM snapshots without memory for all nodes in the cluster, connecting to one of the vRealize Automation/vRealize Orchestrator nodes via SSH using the root account, executing a command to backup and modify several files, redeploying the vRealize Automation/vRealize Orchestrator Kubernetes pods across all nodes in the cluster, and verifying that the workaround has been successfully applied.

It is essential to note that this workaround is only a temporary solution and should be applied as soon as possible. Customers are advised to check the current status of VMSA-2021-0028 for updates on addressing the vulnerability. The workaround should not be re-applied, and upgrades documented in VMSA-2021-0028 should be applied as soon as they become available.

To apply the workaround, customers must ensure that they have valid snapshots of their vRealize Automation/vRealize Orchestrator appliances before applying the solution. The process involves connecting to one of the nodes via SSH using the root account and executing a specific command to create a backup of all files that will be modified, patch several files, and redeploy the vRealize Automation/vRealize Orchestrator pods across all nodes in the cluster. After completing these steps, customers should verify that the workaround has been successfully applied by running a specific command.

The output of the SSH command will indicate if the workaround has been successfully applied or not. If the workaround was successfully applied, there should be no output from the command. The last step is to verify that the workaround has been completed, and this can be done by executing another command provided in KB87120.

VMware advises customers to continue checking the current status of VMSA-2021-0028 for updates on addressing the vulnerability. The company is working on providing a permanent solution through future vRealize Automation and vRealize Orchestrator releases, but no timeline has been provided yet.

In conclusion, VMware has provided a temporary workaround for the Log4j vulnerabilities affecting vRealize Automation and vRealize Orchestrator until the next scheduled release of these products. Customers should apply the workaround as soon as possible and continue to check the current status of VMSA-2021-0028 for updates on addressing the vulnerability.