This article will discuss critical vulnerabilities in Apache Log4j identified by CVE-2021-44228 and CVE-2021-45046 in VMware NSX-V.
Overall steps desctibed on the VMware official page, however, I had to search some details separatly to apply and test the patch.
Lets go trough the steps:
PRE-CHANGE ACTIVITIES:
1. Take a backup of your NSX-V Manager. This is always important step. One day it will save your live :), so please take time and do it properly.
2. Download the patch file from official VMware website signed_bsh_fix_log4j.encoded
CONFIRMING VOULNERABILITY IS PRESENT:
To confirm the voulnerability is present, we need to initiate test attack to the NSX-V manager.
Voulnerabiluty code will be sent by POSTMAN and result of the NSX-V behavior will be caprured by TCPDUMP running directly on the NSX-V manager.
1. SSH to the NSX-V to the root level (Engineering mode).
Additional information how to login in Engineering mode could be found here: https://austit.com/faq/324-nsx-engeneering-mode
If you experiencing isssues with SSH connectivity to the NSX-V manager, some troubleshooting steps could be found here: https://austit.com/faq/353-nsx-v-enable-ssh
2. Run next tcpdump command:
tcpdump -i lo -s 1500 -XX port 389
tcpdump -i lo -s 1500 -XX port 389
3. Using POSTMAN, post REST API to https://<NSX-Manager-IP>/api/2.0/services/securitygroup/globalroot-0
Authentication: Basic Auth (Username: admin)
Headers: Content-Type - application/xml
Body:
<securitygroup>
</securitygroup>
<securitygroup>
</securitygroup>
4. My result after th POST request on the POSTMAN:
securitygroup-17
5. My result fot TCPDUMP automatically appeared on the screen (patched system should not capture any traffic):
12:10:01.529110 IP localhost.36158 > localhost.ldap: Flags [S], seq 724932146, win 43690, options [mss 65495,nop,nop,sackOK,nop,wscale 7], length 0
0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.
0x0010: 0034 551f 4000 4006 e7a2 7f00 0001 7f00 .4U.@.@.........
0x0020: 0001 8d3e 0185 2b35 9632 0000 0000 8002 ...>..+5.2......
0x0030: aaaa fe28 0000 0204 ffd7 0101 0402 0103 ...(............
0x0040: 0307 ..
12:10:01.529138 IP localhost.ldap > localhost.36158: Flags [R.], seq 0, ack 724932147, win 0, length 0
0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.
0x0010: 0028 0000 4000 4006 3cce 7f00 0001 7f00 .(..@.@.<.......
0x0020: 0001 0185 8d3e 0000 0000 2b35 9633 5014 .....>....+5.3P.
0x0030: 0000 61a2 0000 ..a...
0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.
0x0010: 0034 551f 4000 4006 e7a2 7f00 0001 7f00 .4U.@.@.........
0x0020: 0001 8d3e 0185 2b35 9632 0000 0000 8002 ...>..+5.2......
0x0030: aaaa fe28 0000 0204 ffd7 0101 0402 0103 ...(............
0x0040: 0307 ..
12:10:01.529138 IP localhost.ldap > localhost.36158: Flags [R.], seq 0, ack 724932147, win 0, length 0
0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.
0x0010: 0028 0000 4000 4006 3cce 7f00 0001 7f00 .(..@.@.<.......
0x0020: 0001 0185 8d3e 0000 0000 2b35 9633 5014 .....>....+5.3P.
0x0030: 0000 61a2 0000 ..a...
PATCHING SYSTEM:
Patching will be applied over POSTMAN REST API.
Authentication: Basic Auth (Username: admin)
Headers: Content-Type - application/xml
Body:
Select 'Binary' as body type and attach the file signed_bsh_fix_log4j.encoded
Select 'Binary' as body type and attach the file signed_bsh_fix_log4j.encoded
4. My result after th POST request on the POSTMAN is "1".
Starus 200 OK.
CONFIRMING NO VOULNERABILITY anymore:
To confirm the voulnerability patch was installed successfuly, we need to initiate test attack to the NSX-V manager.
Voulnerabiluty code will be sent by POSTMAN and result of the NSX-V behavior will be caprured by TCPDUMP running directly on the NSX-V manager.
1. SSH to the NSX-V to the root level (Engineering mode).
Additional information how to login in Engineering mode could be found here: https://austit.com/faq/324-nsx-engeneering-mode
If you experiencing isssues with SSH connectivity to the NSX-V manager, some troubleshooting steps could be found here: https://austit.com/faq/353-nsx-v-enable-ssh
2. Run next tcpdump command:
tcpdump -i lo -s 1500 -XX port 389
tcpdump -i lo -s 1500 -XX port 389
3. Using POSTMAN, post REST API to https://<NSX-Manager-IP>/api/2.0/services/securitygroup/globalroot-0
Authentication: Basic Auth (Username: admin)
Headers: Content-Type - application/xml
Body:
<securitygroup>
</securitygroup>
<securitygroup>
</securitygroup>
4. My result after th POST request on the POSTMAN:
Status: 404 Not Found
5. My result fot TCPDUMP shows no output.
Hope it helps, HAPPY PATCHING.