Solved: Is VSphere 5.5.0 also impacted? (Log4j)

lmolenaar · ‎12-15-2021

My question is fairly simple, is VSphere 5.5.0 impacted? (related to VMware Response to CVE-2021-44228: Apache Log4j Remote Code Execution (87068))

v5.5.0 is NOT listed here: VMSA-2021-0028.2 (vmware.com)

I just want to make sure it is not listed because it is deemed end of life and as such no longer supported.

If the server IS impacted, kindly advise mitigation steps

stadi13 · ‎12-29-2021

vSphere 5.5 is not listed because it is out of support. So you need to check by youself with running the script attached to the KB

View solution in original post

-Raymond- · ‎12-15-2021

Hi,

I think the answer is no impact.
I did an initial search on a vcsa 5.5 running on MS windows server recursively with command "dir /s/b log4*.jar"

It seems to be only using log4j version 1.x as you can see below

Currently they say almost all versions of Log4j are vulnerable, starting from 2.0-beta9

C:\Program Files\VMware\Infrastructure\Inventory Service\lib\log4j-1.2.14.jar
C:\Program Files\VMware\Infrastructure\Inventory Service\sso\lib\log4j-1.2.14.jar
C:\Program Files\VMware\Infrastructure\Orchestrator\app-server\deploy\vco\WEB-INF\lib\log4j-1.2.17.jar
C:\Program Files\VMware\Infrastructure\Orchestrator\app-server\temp\dars\o11nplugin-ssh.dar\lib\log4j-1.2.17.jar
C:\Program Files\VMware\Infrastructure\Orchestrator\app-server\temp\dars\o11nplugin-wfdocs.dar\lib\log4j-1.2.17.jar
C:\Program Files\VMware\Infrastructure\Orchestrator\apps\lib\log4j.jar
C:\Program Files\VMware\Infrastructure\Orchestrator\configuration\lib\o11n\log4j-1.2.17.jar
C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\lib\log4j-1.2.14.jar
C:\Program Files\VMware\Infrastructure\tomcat\webapps\brain\WEB-INF\lib\log4j-over-slf4j-1.7.2.jar
C:\Program Files\VMware\Infrastructure\tomcat\webapps\eam\WEB-INF\lib\log4j-1.2.14.jar
C:\Program Files\VMware\Infrastructure\tomcat\webapps\ls\WEB-INF\lib\log4j-1.2.14.jar
C:\Program Files\VMware\Infrastructure\tomcat\webapps\statsreport\WEB-INF\lib\log4j-1.2.14.jar
C:\Program Files\VMware\Infrastructure\tomcat\webapps\vsm\WEB-INF\lib\log4j-1.2.14.jar
C:\Program Files\VMware\Infrastructure\tomcat\webapps\vws\WEB-INF\lib\log4j-1.2.14.jar
C:\Program Files\VMware\Infrastructure\VirtualCenter Server\isregtool\log4j-1.2.14.jar
C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\lib\log4j-1.2.14.jar
C:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso\lib\log4j-1.2.16.jar
C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\repository\usr\log4j-over-slf4j-1.6.1.jar
C:\Program Files\VMware\Infrastructure\vSphereWebClient\SsoRegTool\lib\log4j-1.2.14.jar
C:\ProgramData\VMware\CIS\runtime\VMwareSTS\webapps\lookupservice\WEB-INF\lib\log4j-1.2.14.jar
C:\ProgramData\VMware\CIS\runtime\VMwareSTS\webapps\sso-adminserver\WEB-INF\lib\log4j-1.2.14.jar
C:\ProgramData\VMware\CIS\runtime\VMwareSTS\webapps\sts\WEB-INF\lib\log4j-1.2.14.jar
C:\ProgramData\VMware\CIS\runtime\VMwareSTS\webapps\websso\WEB-INF\lib\log4j-1.2.14.jar
C:\Users\administrator\AppData\Local\Temp\jetty-0.0.0.0-9084-vum-fileupload.war-_vum-fileupload-any-\webapp\WEB-INF\lib\log4j-1.2.8.jar
C:\Users\administrator\AppData\Local\Temp\Jetty_0_0_0_0_9084_vum.fileupload.war__vum.fileupload__dgjc5a\webapp\WEB-INF\lib\log4j-1.2.8.jar
C:\Users\All Users\VMware\CIS\runtime\VMwareSTS\webapps\lookupservice\WEB-INF\lib\log4j-1.2.14.jar
C:\Users\All Users\VMware\CIS\runtime\VMwareSTS\webapps\sso-adminserver\WEB-INF\lib\log4j-1.2.14.jar
C:\Users\All Users\VMware\CIS\runtime\VMwareSTS\webapps\sts\WEB-INF\lib\log4j-1.2.14.jar
C:\Users\All Users\VMware\CIS\runtime\VMwareSTS\webapps\websso\WEB-INF\lib\log4j-1.2.14.jar
C:\Users\svc-vmware\AppData\Local\Temp\jetty-0.0.0.0-9084-vum-fileupload.war-_vum-fileupload-any-\webapp\WEB-INF\lib\log4j-1.2.8.jar

Regards,
Raymond

scott28tt · ‎12-15-2021

A moderator should be along to move your thread, since there's no mention in your question of any SDK.

-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog

graydon · ‎12-29-2021

Run a scan on Vmware Vcenter 5.5 'linux edition

vmvcenter:~ # sudo find / -name log4j*.jar
find: `/proc/1388/net': Invalid argument
find: `/proc/3492/net': Invalid argument
find: `/proc/5418/net': Invalid argument
find: `/proc/5812/net': Invalid argument
find: `/proc/11488': No such file or directory
find: `/proc/32631/net': Invalid argument
/opt/vmware/lib64/log4j-1.2.16.jar
/usr/lib/vmware-sso/support/lib/log4j-1.2.14.jar
/usr/lib/vmware-sso/webapps/sso-adminserver/WEB-INF/lib/log4j-1.2.14.jar
/usr/lib/vmware-sso/webapps/sts/WEB-INF/lib/log4j-1.2.14.jar
/usr/lib/vmware-sso/webapps/websso/WEB-INF/lib/log4j-1.2.14.jar
/usr/lib/vmware-sso/webapps/lookupservice/WEB-INF/lib/log4j-1.2.14.jar
/usr/lib/vmware-vpx/inventoryservice/lib/log4j-1.2.14.jar
/usr/lib/vmware-vpx/tomcat/webapps/ls/WEB-INF/lib/log4j-1.2.14.jar
/usr/lib/vmware-vpx/tomcat/webapps/vsm/WEB-INF/lib/log4j-1.2.14.jar
/usr/lib/vmware-vpx/tomcat/webapps/vws/WEB-INF/lib/log4j-1.2.14.jar
/usr/lib/vmware-vpx/tomcat/webapps/brain/WEB-INF/lib/log4j-over-slf4j-1.7.2.jar
/usr/lib/vmware-vpx/tomcat/webapps/eam/WEB-INF/lib/log4j-1.2.14.jar
/usr/lib/vmware-vpx/tomcat/webapps/statsreport/WEB-INF/lib/log4j-1.2.14.jar
/usr/lib/vmware-vpx/sps/lib/log4j-1.2.14.jar
/usr/lib/vmware-vpx/scripts/log4j-1.2.14.jar
/usr/lib/vmware-vpx/inventoryservice-registration/log4j-1.2.14.jar
/usr/lib/vmware-vsphere-client/server/repository/usr/log4j-over-slf4j-1.6.1.jar
vmvcenter:~ #

stadi13 · ‎12-29-2021

vSphere 5.5 is not listed because it is out of support. So you need to check by youself with running the script attached to the KB

stadi13 · ‎12-29-2021

And keep in mind. Your vCenter 5.5 is also vulnerable to many more security issues also realted to the discontinued flash components.