VMware Cloud Community
aarefsayyad
Contributor
Contributor
‎12-13-2021 01:33 AM

how to check log4j version on my Vcenter?

Hello Guys, can someone help me with b

this, how can I check log4j version on my windows Vcenter?  I checked from control panel and found VMware-Apache-Tomcat version 6.5.0.63800 .

Is this version 6.5.0.63800 and log4j version between 2.0 and 2.14.1 are same?

 

Regards 

Aaref Sayyad 

0 Kudos
7 Replies
towerxu
Contributor
Contributor
‎12-13-2021 02:36 PM

same question

0 Kudos
JoanDPinzonM
Contributor
Contributor
‎12-15-2021 10:28 AM

I have the same question but how can I check the version of log4j from the linux-based vcenter virtual appliance?

Only On Line
0 Kudos
L3HarrisLeonard
Contributor
Contributor
‎12-15-2021 11:28 AM

According to Workaround instructions to address CVE-2021-44228 in vCenter Server and vCenter Cloud Gateway (87081...

You can verify the work around worked so I assume the same negative results will show you have the effected version.

Verify the changes

Once all sections are complete, use the following steps to confirm if they were implemented successfully.

  1. Verify if the vMon services were started with the new -Dlog4j2.formatMsgNoLookups=true parameter:
ps auxww | grep formatMsgNoLookups

Check if the processes include -Dlog4j2.formatMsgNoLookups=true
 
2.Verify the Update Manager changes are shown under "System Properties" in the output of the following two commands:

cd /usr/lib/vmware-updatemgr/bin/jetty/
java -jar start.jar --list-config
 
System Properties:
------------------
 log4j2.formatMsgNoLookups = true (/usr/lib/vmware-updatemgr/bin/jetty/start.ini)

3. Verify the Analytics Service changes:

grep -i jndilookup /usr/lib/vmware/common-jars/log4j-core-2.8.2.jar | wc -l
 
This should return 0 lines 
0 Kudos
NeenaJim
Enthusiast
Enthusiast
‎01-12-2022 11:28 AM

Does anyone know how to find the log4j version of a vCenter appliance? Is there any simple command that I can run and find the version? I was searching this online and it seems no has answered!

Expectation is after running a command we would be able to see something like 2.16 or 2.17 etc.

Please help if you know it.

0 Kudos
IRIX201110141
Champion
Champion
‎01-12-2022 05:01 PM

@NeenaJim 

What wrong with https://kb.vmware.com/s/article/87081?lang=en_US  ?. Script comes with a dry run mode.

Regards,
Joerg

Ajay1988
Expert
Expert
‎01-12-2022 07:29 PM

log4j is not a installable package, it is a java file bundled with other installed packages. Meaning every installed package with log4j could theoretically have a different version. As you see in that output, there are at least 3 different versions there .

Ajay1988_0-1642044456029.png

So just follow the KB to get the workaorund-https://kb.vmware.com/s/article/87081 ..Actual patch for vCSA will come in a future release.

Follow https://www.vmware.com/security/advisories/VMSA-2021-0028.html

 

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
NeenaJim
Enthusiast
Enthusiast
‎02-15-2022 06:19 AM

Thank you Ajay, this works for me.

0 Kudos