This article will discuss critical vulnerabilities in Apache Log4j identified by CVE-2021-44228 and CVE-2021-45046 in VMware NSX-V.
Overall steps desctibed on the VMware official page, however, I had to search some details separatly to apply and test the patch.
Lets go trough the steps:
 
PRE-CHANGE ACTIVITIES:
1. Take a backup of your NSX-V Manager. This is always important step. One day it will save your live :), so please take time and do it properly.
2. Download the patch file from official VMware website signed_bsh_fix_log4j.encoded
 
CONFIRMING VOULNERABILITY IS PRESENT:
To confirm the voulnerability is present, we need to initiate test attack to the NSX-V manager.
Voulnerabiluty code will be sent by POSTMAN and result of the NSX-V behavior will be caprured by TCPDUMP running directly on the NSX-V manager.
 
1. SSH to the NSX-V to the root level (Engineering mode).
Additional information how to login in Engineering mode could be found here: https://austit.com/faq/324-nsx-engeneering-mode
If you experiencing isssues with SSH connectivity to the NSX-V manager, some troubleshooting steps could be found here: https://austit.com/faq/353-nsx-v-enable-ssh
2. Run next tcpdump command:
tcpdump -i lo -s 1500 -XX port 389
3. Using POSTMAN, post REST API to https://<NSX-Manager-IP>/api/2.0/services/securitygroup/globalroot-0
Authentication: Basic Auth (Username: admin)
Headers: Content-Type - application/xml
Body:
<securitygroup>

</securitygroup>
4. My result after th POST request on the POSTMAN:
securitygroup-17
5. My result fot TCPDUMP automatically appeared on the screen (patched system should not capture any traffic):
12:10:01.529110 IP localhost.36158 > localhost.ldap: Flags [S], seq 724932146, win 43690, options [mss 65495,nop,nop,sackOK,nop,wscale 7], length 0
0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.
0x0010: 0034 551f 4000 4006 e7a2 7f00 0001 7f00 .4U.@.@.........
0x0020: 0001 8d3e 0185 2b35 9632 0000 0000 8002 ...>..+5.2......
0x0030: aaaa fe28 0000 0204 ffd7 0101 0402 0103 ...(............
0x0040: 0307 ..
12:10:01.529138 IP localhost.ldap > localhost.36158: Flags [R.], seq 0, ack 724932147, win 0, length 0
0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.
0x0010: 0028 0000 4000 4006 3cce 7f00 0001 7f00 .(..@.@.<.......
0x0020: 0001 0185 8d3e 0000 0000 2b35 9633 5014 .....>....+5.3P.
0x0030: 0000 61a2 0000 ..a...
 
PATCHING SYSTEM:
Patching will be applied over POSTMAN REST API.
 
1. Using POSTMAN, post REST API tohttps://<NSX-Manager-IP>/api/1.0/services/debug/script
Authentication: Basic Auth (Username: admin)
Headers: Content-Type - application/xml
Body:
Select 'Binary' as body type and attach the file signed_bsh_fix_log4j.encoded
4. My result after th POST request on the POSTMAN is "1".
Starus 200 OK.

CONFIRMING NO VOULNERABILITY anymore:
To confirm the voulnerability patch was installed successfuly, we need to initiate test attack to the NSX-V manager.
Voulnerabiluty code will be sent by POSTMAN and result of the NSX-V behavior will be caprured by TCPDUMP running directly on the NSX-V manager.
 
1. SSH to the NSX-V to the root level (Engineering mode).
Additional information how to login in Engineering mode could be found here: https://austit.com/faq/324-nsx-engeneering-mode
If you experiencing isssues with SSH connectivity to the NSX-V manager, some troubleshooting steps could be found here: https://austit.com/faq/353-nsx-v-enable-ssh
2. Run next tcpdump command:
tcpdump -i lo -s 1500 -XX port 389
3. Using POSTMAN, post REST API to https://<NSX-Manager-IP>/api/2.0/services/securitygroup/globalroot-0
Authentication: Basic Auth (Username: admin)
Headers: Content-Type - application/xml
Body:
<securitygroup>

</securitygroup>
4. My result after th POST request on the POSTMAN:
Status: 404 Not Found
5. My result fot TCPDUMP shows no output.
 
Hope it helps, HAPPY PATCHING.

Google AdSence

AUST IT - Computer help out of hours, when you need it most.

Find out why we do it for less.

About

AUST IT will help you resolve any technical support issues you are facing onsite or remotely via remote desktop 24/7. More...

Contacts

Reservoir, Melbourne,
3073, VIC, Australia

Phone: 0422 348 882

This email address is being protected from spambots. You need JavaScript enabled to view it.

Sydney: 0481 837 077

Connect

Join us in social networks to be in touch.

Newsletter

Complete the form below, and we'll send you our emails with all the latest AUST IT news.