I am using vcenter appliance 6.5 u2. vmware has not released a patch for log4j yet. vmware offers a temporary solution. Do you think I should wait for the patch or apply the workaround?
I'm also trying to figure out what the lines below actually do in vcenter for the workaround..
log4j_arg="-Dlog4j2.formatMsgNoLookups=true"
exec $java_start_bin $jvm_dynargs $log4j_arg "$@"
For the workaround on vCenter 6.5, do I make all the changes on the services as recommended here.
https://kb.vmware.com/s/article/87081?lang=en_US
Do all of these services run by default for this version?
stsd, idmd, psc-client, and vMon
Thanks,
TT
My question is, should I wait for the patch or apply the solution urgently? Are you applying the workaround to your infrastructure in the production environment or are you waiting for my patch?
what exactly is the meaning of temporary solution
Most people would, its the highest cve score possible, meaning that it's the worst that it can get. Review the scoring at a site like this
https://nvd.nist.gov/vuln-metrics/cvs
if you don't do the workaround any machine is at risk. How adverse you are to that risk is up to you, if these apps are in their own network that requires multiple jumps to get to you may not be that concerned because they need access to the network. To me not doing the workaround is like watching your house burn while you hope someone is coming, you can do something now so I would suggest that you d