ferexderta
Enthusiast
Enthusiast

log4j

I am using vcenter appliance 6.5 u2. vmware has not released a patch for log4j yet. vmware offers a temporary solution. Do you think I should wait for the patch or apply the workaround?

0 Kudos
4 Replies
ESNJR
Contributor
Contributor

I'm also trying to figure out what the lines below actually do in vcenter for the workaround..

 

log4j_arg="-Dlog4j2.formatMsgNoLookups=true"
exec $java_start_bin $jvm_dynargs $log4j_arg "$@"

 

0 Kudos
tractng
Enthusiast
Enthusiast

For the workaround on vCenter 6.5, do I make all the changes on the services as recommended here.

https://kb.vmware.com/s/article/87081?lang=en_US

 

Do all of these services run by default for this version?

stsd, idmd, psc-client, and vMon

 

Thanks,

TT

0 Kudos
ferexderta
Enthusiast
Enthusiast

My question is, should I wait for the patch or apply the solution urgently? Are you applying the workaround to your infrastructure in the production environment or are you waiting for my patch?

what exactly is the meaning of temporary solution

0 Kudos
sjesse
Leadership
Leadership

Most people would, its the highest cve score possible, meaning that it's the worst that it can get. Review the scoring at a site like this

https://nvd.nist.gov/vuln-metrics/cvs

if you don't do the workaround any machine is at risk. How adverse you are to that risk is up to you, if these apps are in their own network that requires multiple jumps to get to you may not be that concerned because they need access to the network. To me not doing the workaround is like watching your house burn while you hope someone is coming, you can do something now so I would suggest that you d

0 Kudos