Updated December 15, 2021.
Two vulnerabilities have been discovered in the logging library Log4j2, which is used by Varnish Administration Console. These are identified as CVE-2021-44228 and CVE-2021-45046. Note that no other products from Varnish Software are affected by the same CVEs.
An earlier version of this advisory indicated that a sufficient workaround for affected versions of Varnish Administration Console is to set the
log4j2.formatMsgNoLookups=true parameter. As security research has continued to explore the potential of the vulnerabilities, it is clear that this workaround is not sufficient.
Varnish Administration Console installations that are exposed to the internet are at risk. An attacker can send a crafted message to Varnish Administration Console and gain access to execute arbitrary code via the log4j2 library.
The solution is to upgrade Varnish Administration Console to version 3.9.1, and then ensure that Varnish Administration Console is restarted. The restart is done using:
$ sudo systemctl restart vac
If upgrading to Varnish Administration Console 3.9.1 is not possible, a workaround is to replace the offending files in
/opt/vac/lib/. Delete the files
log4j-core-2.13.3.jar (versions may differ) and replace them with the corresponding files from apache-log4j-2.16.0-bin.tar.gz (
SHA256 d4a5135c761abdc50690d0d4f17759228761f7296361dd14df130913c215879c). These files are
log4j-core-2.16.0.jar. This needs to be done for the log4j files in the
/opt/vac/lib/vac.war archive also.
This is the recommended workaround for all versions of Varnish Administration Console if an upgrade to version 3.9.1 is not possible.