#!/usr/bin/env python
"""
__license__ = "SPDX-License-Identifier: MIT"
__copyright__ = "Copyright (C) 2021 VMware, Inc.
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in the
Software without restriction, including without limitation the rights to use,
copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the
Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
===
Handles CVE-2021-44228 exploit for VMware vCenter Server for both Virtual
Appliance and Microsoft Windows environments. This script automates the guidance
found under https://kb.vmware.com/s/article/87081 and
https://kb.vmware.com/s/article/87096
This script can run in its default remediation mode or in dry run scan mode.
Remediation mode applies fixes to the vCenter configuration and library code.
Dry run scan mode is used to identify vulnerable files and validate the fixes
from a remediation run.
The steps in the remediation mode are:
1. Stop all services to unlock all configuration and library files that may
need remediation. This step uses "service-control --stop --all" command.
2. Scan Java library files (*.jar and *.war) for "JndiLookup.class" and remove it.
3. Based on the vCenter system version, deployment flavour and OS type scans the
configuration files for "-Dlog4j2.formatMsgNoLookups=true" configuration
option and adds it as needed.
4. Start all services using "service-control --start --all"
In the remediation mode any modified files are backed up. The backup location
needs to be set with "-b" option or will default to a temporary folder that must
be backed up immediately after running the script.
In dry run scan mode the script will only examine the files from steps 2 and 3
above and report any potentially vulnerable files. No service stop and start is
needed in dry run mode. The dry run mode is activated with "-r".
The script produces detailed log file under the VMWARE_LOG_DIR folder.
"""
import os
import sys
import shutil
from distutils.file_util import copy_file
import zipfile
import codecs
import tempfile
import subprocess
import logging
import argparse
import hashlib
import json
from datetime import datetime
from itertools import chain
import re
LOG = logging.getLogger(__name__)
# exit code constants
COMPLETED_OK = 0
ERROR_USER_INPUT = 1
ERROR_STOPING_SERVICES = 2
ERROR_STARTING_SERVICES = 3
ERROR_PATH_NOT_A_DIRECTORY = 4
ERROR_UNHANDLED_EXCEPTION = 5
ERROR_VCHA_ENABLED = 6
ERROR_MISSING_IMPORT = 7
sys.path.append(os.environ['VMWARE_PYTHON_PATH'])
try:
from cis.tools import get_install_parameter
from cis.exceptions import InstallParameterException
except ImportError:
class InstallParameterException(Exception):
"""Imitates missing InstallParameterException class"""
if sys.platform in ['win32', 'cygwin', 'windows']:
try:
from six.moves import winreg
except ImportError:
import _winreg as winreg
try:
import win32security
import win32api
except ImportError:
LOG.error("Unable to import win32security and/or win32api")
sys.exit(ERROR_MISSING_IMPORT)
SCRIPT_VERSION = "1.6.0"
JNDI_PATH = "org/apache/logging/log4j/core/lookup/JndiLookup.class"
BACKUP_DIR = "" # This is initialized below
LOG_DIR = os.environ.get('VMWARE_LOG_DIR')
LOG_NAME = "vmsa-2021-0028"
HASHING_CHUNK_SIZE = 1024 * 1024
SAFE_SHA256_HASHES = [
'085e0b34e40533015ba6a73e85933472702654e471c32f276e76cffcf7b13869', # log4j-core-2.16.0.jar from apache.org
'5d241620b10e3f1475320bc9552cf7bcfa27eeb9b1b6a891449e76db4b4a02a8' # log4j-core-2.16.0.jar from mvnrepository/build-artifactory
]
# Deployment types
DEPLOY_TYPE_PSC = "infrastructure"
DEPLOY_TYPE_EMBEDDED = "embedded"
DEPLOY_TYPE_MANAGEMENT = "management"
class Environment:
"""
Collect VMware environment specific information
"""
def __init__(self):
"""
Computes the vCenter version. Use on vCenter 6.5 and later only
"""
self.__gateway = False
LOG.debug("Determining vCenter version and type")
self.__is_windows = sys.platform in ['win32', 'cygwin', 'windows']
if self.__is_windows:
reg = winreg.ConnectRegistry(None, winreg.HKEY_LOCAL_MACHINE)
key = winreg.OpenKey(reg, r"SOFTWARE\VMware, Inc.\vCenter Server")
self.__build = winreg.QueryValueEx(key, 'BuildNumber')[0]
self.__version = winreg.QueryValueEx(key, 'ProductVersion')[0]
else:
with open("/etc/applmgmt/appliance/update.conf", 'r') as file_descriptor:
data = json.load(file_descriptor)
self.__build = data['build']
with open("/etc/issue", 'r') as file_descriptor:
for line in file_descriptor:
if not line.strip():
continue
version = line
if "Gateway" in line:
self.__gateway = True
break
version = version.rsplit(' ', 1)[1]
self.__version = version.strip()
try:
LOG.debug("Getting deploy type")
self.__deploytype = get_install_parameter('deployment.node.type', quiet=True)
except (InstallParameterException, NameError):
try:
file = os.path.join(os.environ['VMWARE_CFG_DIR'], 'deployment.node.type')
with open(file, 'r') as file_descriptor:
self.__deploytype = file_descriptor.read()
except Exception as e:
LOG.error("Unhandled exception occurred while trying "
"to get system deployment type from configuration file: %s", e)
except Exception as e:
LOG.error("Unhandled exception occurred while trying "
"to get system deployment type using python script: %s", e)
self.__has_vcha = os.path.isfile("/etc/vmware-vcha/vcha.cfg")
LOG.debug("Computed version: %s", str(self))
def __str__(self):
return ("Version: %s; Build: %s; Deployment type: %s; "
"Gateway: %s; VCHA: %s; Windows: %s;" \
% (self.__version, self.__build, self.__deploytype,
self.__gateway, self.__has_vcha, self.__is_windows))
def is_7(self):
"""Checks if current environment is version 7.x"""
return self.__version.startswith("7.")
def is_6(self):
"""Checks if current environment is version 6.x"""
return self.__version.startswith("6.")
def is_65(self):
"""Checks if current environment is version 6.5.x"""
return self.__version.startswith("6.5.")
def is_gateway(self):
"""Checks if current environment is gateway"""
return self.__gateway
def has_identity_svcs(self):
"""Checks if current environment has identity services"""
return self.__deploytype in [DEPLOY_TYPE_EMBEDDED, DEPLOY_TYPE_PSC]
def has_mgmt_svcs(self):
"""Checks if current environment has appliance management services"""
return self.__deploytype in [DEPLOY_TYPE_EMBEDDED, DEPLOY_TYPE_MANAGEMENT]
def has_vcha(self):
"""Checks if current environment has HA enabled"""
retu
