VxRail: Information on Log4Shell (CVE-2021-44228/CVE-2021-45046/CVE-2021-4104) and VxRail environments

The Apache Software Foundation has published information about a critical Apache Log4j Library Remote Code Execution Vulnerability issue known as Log4Shell. This is detailed in the GitHub Advisory Database (also detailed in CVE-2021-44228, CVE-2021-45046 and CVE-2021-4104). This library is heavily used in Java-based programs to allow logging regular and events to disk. There are several components in the VxRail and VMware software stacks which use this library.

Dell published the following security articles related to this issue:

• DSA-2021-265: Dell EMC VxRail Security Update for Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
• DSN-2021-007: Dell Response to Apache Log4j Remote Code Execution Vulnerability

VMware published several articles related to their products in:

• VMware Security Advisory VMSA-2021-0028
• VMSA-2021-0028: Questions & Answers
• Python script to automate the workaround steps of VMSA-2021-0028 vulnerability on vCenter Server Appliance (87088)
• Work around instructions to address CVE-2021-44228 in VMware Cloud Foundation (87095)

The following information describes the issue and how it impacts on VxRail releases.


 

Impact on VxRail releases

Several components in the VxRail Software stack (VxRail Manager and VMware vSphere) are impacted.

Status of issue in current VxRail releases:

• This issue has been resolved in VxRail Package Software 7.0.320
• This issue has been resolved in VxRail Appliance Software 4.7.541
• This issue has been resolved in VxRail Appliance Software 4.5.471

Note: Older VxRail releases such as VxRail Appliance Software release 4.0.xxx are also impacted.
 

VxRail environments with VxRail deployed or managed vCenter

VMware published a workaround for the vCenter Server Appliance (vCSA). Information on this workaround can be found in the VMSA-2021-0028 article.

 

VxRail environments with customer/external managed vCenter or other VMware components and products

For customer managed, or external vCenter sees VMware VMSA-2021-0028 article for information about workarounds and other remediation steps.
Customers can implement workarounds or remediations recommended by VMware in those articles as required.

Note: There are scenarios where ESXi versions must be upgraded before upgrading the vCenter version to 7.0u3c or later. See the following article for more information:

• Dell EMC VxRail: Upgrade external vCenter to 7.0 U3c or above fails at pre-check due to hosts are not upgraded first

If any assistance is required with a non-VxRail managed vCenter, then reach out to VMware for assistance. For other VxRail components, reach out to Dell Support for help.
For VMware products outside VxRail then, reach out to VMware for assistance.

Note: VMware provided a script to automate all the changes required to implement the workarounds in vCenter Server Appliance (vCSA). For VxRail 4.5/4.7 environments run the script first on the Platform Service Controller (PSC), and then vCSA appliance, both appliances must implement the workaround. For workarounds with other VMware products see VMSA-2021-0028 above:

• Python script to automate the workaround steps of VMSA-2021-0028 vulnerability on vCenter Server Appliance (87088)

Impact on VMware Cloud Foundation on Dell VxRail

VMware Cloud Foundation upgrades are performed in the Lifecycle Management interface in SDDC Manager.

Status of issue in current VMware Cloud Foundation on Dell VxRail releases:

• This issue is resolved in VMware Cloud Foundation 3.11
• This issue is resolved in VMware Cloud Foundation 4.4

For more detailed information about this issue in VCF, see the following VMware article:

• Work around instructions to address CVE-2021-44228 in VMware Cloud Foundation (87095)

Impact on applications and services running in Virtual Machines.

Any remediations performed on VxRail or associated VMware components protect those components against the vulnerability.
It does not remediate applications or services running within Virtual Machines (VMs) which may be exposed to the Apache Log4j Library Remote Code Execution Vulnerability.

Dell Technologies recommends checking with their application/software vendors for services running in VMs to ensure they are not impacted.
Any applications or services impacted within VMs must be remediated as per your software vendors documentation or remediation steps.