My question is fairly simple, is VSphere 5.5.0 impacted? (related to VMware Response to CVE-2021-44228: Apache Log4j Remote Code Execution (87068))
v5.5.0 is NOT listed here: VMSA-2021-0028.2 (vmware.com)
I just want to make sure it is not listed because it is deemed end of life and as such no longer supported.
If the server IS impacted, kindly advise mitigation steps
vSphere 5.5 is not listed because it is out of support. So you need to check by youself with running the script attached to the KB
Hi,
I think the answer is no impact.
I did an initial search on a vcsa 5.5 running on MS windows server recursively with command "dir /s/b log4*.jar"
It seems to be only using log4j version 1.x as you can see below
Currently they say almost all versions of Log4j are vulnerable, starting from 2.0-beta9
C:\Program Files\VMware\Infrastructure\Inventory Service\lib\log4j-1.2.14.jar
C:\Program Files\VMware\Infrastructure\Inventory Service\sso\lib\log4j-1.2.14.jar
C:\Program Files\VMware\Infrastructure\Orchestrator\app-server\deploy\vco\WEB-INF\lib\log4j-1.2.17.jar
C:\Program Files\VMware\Infrastructure\Orchestrator\app-server\temp\dars\o11nplugin-ssh.dar\lib\log4j-1.2.17.jar
C:\Program Files\VMware\Infrastructure\Orchestrator\app-server\temp\dars\o11nplugin-wfdocs.dar\lib\log4j-1.2.17.jar
C:\Program Files\VMware\Infrastructure\Orchestrator\apps\lib\log4j.jar
C:\Program Files\VMware\Infrastructure\Orchestrator\configuration\lib\o11n\log4j-1.2.17.jar
C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\lib\log4j-1.2.14.jar
C:\Program Files\VMware\Infrastructure\tomcat\webapps\brain\WEB-INF\lib\log4j-over-slf4j-1.7.2.jar
C:\Program Files\VMware\Infrastructure\tomcat\webapps\eam\WEB-INF\lib\log4j-1.2.14.jar
C:\Program Files\VMware\Infrastructure\tomcat\webapps\ls\WEB-INF\lib\log4j-1.2.14.jar
C:\Program Files\VMware\Infrastructure\tomcat\webapps\statsreport\WEB-INF\lib\log4j-1.2.14.jar
C:\Program Files\VMware\Infrastructure\tomcat\webapps\vsm\WEB-INF\lib\log4j-1.2.14.jar
C:\Program Files\VMware\Infrastructure\tomcat\webapps\vws\WEB-INF\lib\log4j-1.2.14.jar
C:\Program Files\VMware\Infrastructure\VirtualCenter Server\isregtool\log4j-1.2.14.jar
C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\lib\log4j-1.2.14.jar
C:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso\lib\log4j-1.2.16.jar
C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\repository\usr\log4j-over-slf4j-1.6.1.jar
C:\Program Files\VMware\Infrastructure\vSphereWebClient\SsoRegTool\lib\log4j-1.2.14.jar
C:\ProgramData\VMware\CIS\runtime\VMwareSTS\webapps\lookupservice\WEB-INF\lib\log4j-1.2.14.jar
C:\ProgramData\VMware\CIS\runtime\VMwareSTS\webapps\sso-adminserver\WEB-INF\lib\log4j-1.2.14.jar
C:\ProgramData\VMware\CIS\runtime\VMwareSTS\webapps\sts\WEB-INF\lib\log4j-1.2.14.jar
C:\ProgramData\VMware\CIS\runtime\VMwareSTS\webapps\websso\WEB-INF\lib\log4j-1.2.14.jar
C:\Users\administrator\AppData\Local\Temp\jetty-0.0.0.0-9084-vum-fileupload.war-_vum-fileupload-any-\webapp\WEB-INF\lib\log4j-1.2.8.jar
C:\Users\administrator\AppData\Local\Temp\Jetty_0_0_0_0_9084_vum.fileupload.war__vum.fileupload__dgjc5a\webapp\WEB-INF\lib\log4j-1.2.8.jar
C:\Users\All Users\VMware\CIS\runtime\VMwareSTS\webapps\lookupservice\WEB-INF\lib\log4j-1.2.14.jar
C:\Users\All Users\VMware\CIS\runtime\VMwareSTS\webapps\sso-adminserver\WEB-INF\lib\log4j-1.2.14.jar
C:\Users\All Users\VMware\CIS\runtime\VMwareSTS\webapps\sts\WEB-INF\lib\log4j-1.2.14.jar
C:\Users\All Users\VMware\CIS\runtime\VMwareSTS\webapps\websso\WEB-INF\lib\log4j-1.2.14.jar
C:\Users\svc-vmware\AppData\Local\Temp\jetty-0.0.0.0-9084-vum-fileupload.war-_vum-fileupload-any-\webapp\WEB-INF\lib\log4j-1.2.8.jar
Regards,
Raymond
A moderator should be along to move your thread, since there's no mention in your question of any SDK.
Run a scan on Vmware Vcenter 5.5 'linux edition
vmvcenter:~ # sudo find / -name log4j*.jar
find: `/proc/1388/net': Invalid argument
find: `/proc/3492/net': Invalid argument
find: `/proc/5418/net': Invalid argument
find: `/proc/5812/net': Invalid argument
find: `/proc/11488': No such file or directory
find: `/proc/32631/net': Invalid argument
/opt/vmware/lib64/log4j-1.2.16.jar
/usr/lib/vmware-sso/support/lib/log4j-1.2.14.jar
/usr/lib/vmware-sso/webapps/sso-adminserver/WEB-INF/lib/log4j-1.2.14.jar
/usr/lib/vmware-sso/webapps/sts/WEB-INF/lib/log4j-1.2.14.jar
/usr/lib/vmware-sso/webapps/websso/WEB-INF/lib/log4j-1.2.14.jar
/usr/lib/vmware-sso/webapps/lookupservice/WEB-INF/lib/log4j-1.2.14.jar
/usr/lib/vmware-vpx/inventoryservice/lib/log4j-1.2.14.jar
/usr/lib/vmware-vpx/tomcat/webapps/ls/WEB-INF/lib/log4j-1.2.14.jar
/usr/lib/vmware-vpx/tomcat/webapps/vsm/WEB-INF/lib/log4j-1.2.14.jar
/usr/lib/vmware-vpx/tomcat/webapps/vws/WEB-INF/lib/log4j-1.2.14.jar
/usr/lib/vmware-vpx/tomcat/webapps/brain/WEB-INF/lib/log4j-over-slf4j-1.7.2.jar
/usr/lib/vmware-vpx/tomcat/webapps/eam/WEB-INF/lib/log4j-1.2.14.jar
/usr/lib/vmware-vpx/tomcat/webapps/statsreport/WEB-INF/lib/log4j-1.2.14.jar
/usr/lib/vmware-vpx/sps/lib/log4j-1.2.14.jar
/usr/lib/vmware-vpx/scripts/log4j-1.2.14.jar
/usr/lib/vmware-vpx/inventoryservice-registration/log4j-1.2.14.jar
/usr/lib/vmware-vsphere-client/server/repository/usr/log4j-over-slf4j-1.6.1.jar
vmvcenter:~ #
vSphere 5.5 is not listed because it is out of support. So you need to check by youself with running the script attached to the KB
And keep in mind. Your vCenter 5.5 is also vulnerable to many more security issues also realted to the discontinued flash components.