RyanSclanders
Contributor
Contributor

vCenter 6.7 for Windows Build 19300125 - Log4j

Hi All,

 

To resolve my log4j vulnerability issues earlier this year I upgraded my Windows vCenter Server 6.7 U3p build 18831133 to Update 3q build 19300125. Along with that I upgraded VUM to the version included with the ISO 6.7.0.42257
Unfortunately, I still get log4j vulnerability issues when scanning the server, including:

Path: WEB-INF\lib\log4j-1.2.8.jar
Installed version : 1.2.8

Path : WEB-INF\lib\log4j-1.2.8.jar
Installed version : 1.2.8

Path: WEB-INF\lib\log4j-1.2.8.jar
Installed version : 1.2.8

Path: webapps\vum-fileupload.war
Installed version : 1.2.8

Path: vCenter Server\VMware Identity Services\log4j-1.2.16.jar
Installed version : 1.2.16

Path: vCenter Server\VMware Identity Services\lstool\lib\log4j-1.2.16.jar
Installed version : 1.2.16

Path: vCenter Server\common-jars\log4j-1.2.16.jar
Installed version : 1.2.16

Path: vCenter Server\common-jars\log4j-1.2.17.jar
Installed version : 1.2.17


The migration script included in KB https://kb.vmware.com/s/article/87096 states: “Do not use the vc_log4j_mitigator.py script on vCenter Servers that have already been upgraded to a fixed version.” Fixed version: vCenter Server 6.7 Update 3q, build 19300125

Does anyone have the same issues and or know of a solution to upgrade the version of log4j?

Thanks,

3 Replies
8islas
Enthusiast
Enthusiast

Hello:

I haven't used vCenter on Windows in years.

Certain third-party vSphere Client plugins may be detected as vulnerable even after repair.

This is because the jar files are recreated each time the client is started. These must be addressed by patching the plugin to an unaffected version or removing the plugin via the vCenter MOB.

Did you update your VUM plugin to the latest version?

This is the ISO that corresponds to vCenter Server 6.7 Update 3q, build 19300125

https://customerconnect.vmware.com/downloads/details?downloadGroup=VC67U3Q&productId=742&rPId=88788

8islas_0-1653298664926.png

Maybe it's a good time to think about migrating.

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vcenter.upgrade.doc/GUID-28B58AC7-7C35-4FC3...

Hope it helps.

0 Kudos
RyanSclanders
Contributor
Contributor

Thanks for the response @8islas . Unfortunately, I use the Windows version in this environment for design and standards reasons, so not something I can change right now. I am using the latest version released with U3q build 19300125 for both vCenter and VUM, which from the release notes and KBs is supposed to have fixed the log4j issues. 

0 Kudos
8islas
Enthusiast
Enthusiast

Hi @RyanSclanders 

Maybe the answer is here on release notes but it is not clear.

https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3q-release-notes.html

NOTE: vCenter Server 6.7 Update 3q does not provide a security patch to update the JRE component of vCenter Server for Windows and Platform Services Controller for Windows. Instead, you must download the VMware-VIM-all-6.7.0-19300125.iso file from VMware Customer Connect. For more information, see Download the vCenter Server Installer for Windows.

Security Issues on release notes from version 6.7u3q:     also on windows?¿
Apache log4j is updated to versions 2.12.4 for JDK 7 and 2.17.0 for JDK 8.
Apache Struts is updated to version 2.5.28.3.

Here is a good resume for CVEs:

https://micoolpaul.com/2022/02/09/vmware-vcenter-log4j-patches-available/

CVE Conclusion – VMware vCenter 6.7 & 6.5
VMware have a more complicated upgrade path with VMware vCenter 6.7 & 6.5. As there is the use of both JDK 7 and JDK8. Within the JDK8 framework, Log4j has been patched to 2.17.0, which protects against the first two Log4j vulnerabilities detailed above on this framework, whilst the remaining two CVEs are unexploitable on the VMware vCenter configuration. But vCenter 6.7 & 6.5 also use the JDK7 framework, which doesn’t support Log4j 2.17.0, instead however there is an update that mitigates these vulnerabilities that does support JDK7, Log4j 2.12.4, which is the version that VMware have upgraded to, this offers complete protection against all four CVEs detailed above, even the ones that VMware is vulnerable to in 2.17.0 but is not exploitable.

Sorry I can not help more, surely it is a problem of the Windows version but it is not very well specified.

Finally, take note from this:

Originally, vSphere 6.7 was scheduled to reach EoGS (End of General Support) on November 15, 2021. We are extending this date by 11 months, to October 15, 2022.

 

Regards

0 Kudos