likeahoss
Enthusiast
Enthusiast

VCSA 7.0 U3d and log4j

Hello All,

I'm running that latest 7.0 U3d vCenter/vCSA.  My ACAS scanner plugin is picking up older (RCE vulnerable) log4j packages and files.

Has anyone else run into this issue and are they false-positive?

Labels (4)
0 Kudos
3 Replies
virtsysadmin
Enthusiast
Enthusiast

according to the release notes it has newer log4j version - https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3d-release-notes.html

Apache log4j is updated to version 2.17.1.



I am a VMware employee, But I contribute to VMTN voluntarily (ie. not in any official capacity)
VCIX-DCV 2020|VCP|VCP vSphere 7|MCTS|RHCA|CCNA|ITIL| Master Specialist - VMware Cloud on AWS 2021
Please hit resolved, when your question has been answered.
Sandman3
Contributor
Contributor

Hi, did you manage to get any more information regarding this. Similar to yourself Nessus picks up the same vulnerabilities due to the packages still being there even after upgrade. 

Would be nice to get an official VMware response regarding this.

Thanks

0 Kudos
chris_olsen
Contributor
Contributor

Hello,

I can't speak to the specifics of the SecureStrux solution, but I can say our Tenable/Nessus gives both 7.0 U3C and U3E (build 19717403) a clean bill of health.  I've definitely seen Nessus in the past see some remnant of an older package and then flag it as bad (just because the installer didn't clean up the old structure) but I don't know if that's what ACAS is seeing or what...

Hope that helps

0 Kudos