- VMware Technology Network
- :
- Cloud & SDDC
- :
- vCenter
- :
- vCenter™ Server Discussions
- :
- Re: CVE-2021-44228 workaround for vCenter Server A...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CVE-2021-44228 workaround for vCenter Server Appliance 6.0 U3j
Hi,
We have tried to follow KB87081 workaround on our VMware vCenter Server 6.0U3j (essentials) appliance but we cannot find the line 72 mentioned in the article.
I need to know where to add the line if this article is applicable on essentials version?
vCenter Server Appliance 6.0 U3j Workaround
vCenter Server Appliance 6.0 U3j is no longer in general support but has also been identified as vulnerable to CVE-2021-44228 due to the Performance Charts service. Mitigation steps have been identified as follows:
1. Back up and edit /usr/lib/vmware-perfcharts/wrapper/conf/wrapper.conf on the appliance and add a new line just below "wrapper.java.additional.13=-Dlog4j.configurationFile=file:/etc/vmware-perfcharts/log4j2.xml" (line 72) with the following content:
wrapper.java.additional.14=-Dlog4j2.formatMsgNoLookups=true
2. Save the file, stop the service and then start it through service-control:
service-control --stop vmware-perfcharts
service-control --start vmware-perfcharts
Best Regards,
Thomas Johansson
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Share /usr/lib/vmware-perfcharts/wrapper/conf/wrapper.conf
I need to know where to add the line if this article is applicable on essentials version? Yes it is
Mark this response as "Correct" or "Helpful".
Regards,
AJ
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same here
Here's what the mentioned section looks like in our environment:
# Java Additional Parameters
wrapper.java.additional.1=-Djava.endorsed.dirs=%VMWARE_TOMCAT%/endorsed
wrapper.java.additional.2=-Dlog4j.configuration=file:/etc/vmware-perfcharts/log4j.properties
wrapper.java.additional.3=-Djava.io.tmpdir=/usr/lib/vmware-perfcharts/tc-instance/temp
wrapper.java.additional.4=-Dcatalina.base=/usr/lib/vmware-perfcharts/tc-instance
wrapper.java.additional.5=-Dcatalina.home=%VMWARE_TOMCAT%
wrapper.java.additional.6=-Dvim.logdir=/var/log/vmware/perfcharts
wrapper.java.additional.7=-DPERFCHARTS_HOME=/usr/lib/vmware-perfcharts
wrapper.java.additional.8=-DPERFCHARTS_CFG_DIR=/etc/vmware-perfcharts
# Next three parameters are setting the garbage collector to ConcMarkSweep and are
# enabling it to collect unused classes.
wrapper.java.additional.9=-XX:+UseConcMarkSweepGC
wrapper.java.additional.10=-XX:+CMSClassUnloadingEnabled
wrapper.java.additional.11=-XX:+CMSPermGenSweepingEnabled
wrapper.java.additional.12=-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
# Application parameters. Add parameters as needed starting from 1
wrapper.app.parameter.1=org.apache.catalina.startup.Bootstrap
wrapper.app.parameter.2=1
wrapper.app.parameter.3=start
wrapper.app.parameter.4=org.apache.catalina.startup.Bootstrap
wrapper.app.parameter.5=TRUE
wrapper.app.parameter.6=1
wrapper.app.parameter.7=stop
#********************************************************************
wrapper.java.additional.13 is missing and there is no file "/etc/vmware-perfcharts/log4j2.xml" on our appliance.
Can we just add the line "wrapper.java.additional.14=-Dlog4j2.formatMsgNoLookups=true" and proceed with the workaround?
Thanks
Patric
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi AJ,
Here is my wrapper.conf except Wrapper License Properties
#********************************************************************
# Wrapper Java Properties
#********************************************************************
# Java Application comes from common wrapper
#include.required %VMWARE_CFG_DIR%/wrapper_common.conf
# The following line overrides the preset JVM arguments in the JAVA_TOOL_OPTIONS
# environment variable. This variable is used by java by default when starting JVM.
#set.JAVA_TOOL_OPTIONS=-Xms16M -Xmx1024M
# Tell the Wrapper to log the full generated Java command line.
#wrapper.java.command.loglevel=INFO
# Java Main class. This class must implement the WrapperListener interface
# or guarantee that the WrapperManager class is initialized. Helper
# classes are provided to do this for you. See the Integration section
# of the documentation for details.
wrapper.java.mainclass=org.tanukisoftware.wrapper.WrapperStartStopApp
# Java Classpath (include wrapper.jar) Add class path elements as
# needed starting from 1
wrapper.java.classpath.1=../lib/wrapper.jar
wrapper.java.classpath.2=%VMWARE_TOMCAT%/bin/tomcat-juli.jar
wrapper.java.classpath.3=%VMWARE_COMMON_JARS%/ecj-4.6.1.jar
wrapper.java.classpath.4=%VMWARE_COMMON_JARS%/tomcat-embed-core-8.5.43.jar
wrapper.java.classpath.5=/opt/vmware/vpostgres/current/lib/postgresql-*.jar
wrapper.java.classpath.6=%VMWARE_COMMON_JARS%/tomcat-embed-jasper-8.5.43.jar
wrapper.java.classpath.7=%VMWARE_COMMON_JARS%/tomcat-embed-el-8.5.43.jar
wrapper.java.classpath.8=%VMWARE_COMMON_JARS%/javax.annotation-api-1.2.jar
wrapper.java.classpath.9=%VMWARE_COMMON_JARS%/ejb-api-3.0.jar
wrapper.java.classpath.10=%VMWARE_COMMON_JARS%/persistence-api-1.0.2.jar
# Java Library Path (location of Wrapper.DLL or libwrapper.so)
wrapper.java.library.path.1=../lib
# Java Bits. On applicable platforms, tells the JVM to run in 32 or 64-bit mode.
wrapper.java.additional.auto_bits=TRUE
# Java Additional Parameters
wrapper.java.additional.1=-Djava.endorsed.dirs=%VMWARE_TOMCAT%/endorsed
wrapper.java.additional.2=-Dlog4j.configuration=file:/etc/vmware-perfcharts/log4j.properties
wrapper.java.additional.3=-Djava.io.tmpdir=/usr/lib/vmware-perfcharts/tc-instance/temp
wrapper.java.additional.4=-Dcatalina.base=/usr/lib/vmware-perfcharts/tc-instance
wrapper.java.additional.5=-Dcatalina.home=%VMWARE_TOMCAT%
wrapper.java.additional.6=-Dvim.logdir=/var/log/vmware/perfcharts
wrapper.java.additional.7=-DPERFCHARTS_HOME=/usr/lib/vmware-perfcharts
wrapper.java.additional.8=-DPERFCHARTS_CFG_DIR=/etc/vmware-perfcharts
# Next three parameters are setting the garbage collector to ConcMarkSweep and are
# enabling it to collect unused classes.
wrapper.java.additional.9=-XX:+UseConcMarkSweepGC
wrapper.java.additional.10=-XX:+CMSClassUnloadingEnabled
wrapper.java.additional.11=-XX:+CMSPermGenSweepingEnabled
wrapper.java.additional.12=-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
# Application parameters. Add parameters as needed starting from 1
wrapper.app.parameter.1=org.apache.catalina.startup.Bootstrap
wrapper.app.parameter.2=1
wrapper.app.parameter.3=start
wrapper.app.parameter.4=org.apache.catalina.startup.Bootstrap
wrapper.app.parameter.5=TRUE
wrapper.app.parameter.6=1
wrapper.app.parameter.7=stop
#********************************************************************
# Wrapper Logging Properties
#********************************************************************
# Enables Debug output from the Wrapper.
# wrapper.debug=TRUE
# Allows us to request a thread dump on Windows
wrapper.thread_dump_control_code=255
# Format of output for the console. (See docs for formats)
wrapper.console.format=PM
# Log Level for console output. (See docs for log levels)
wrapper.console.loglevel=INFO
# Format of output for the log file. (See docs for formats)
wrapper.logfile.format=LPTM
# Log Level for log file output. (See docs for log levels)
wrapper.logfile.loglevel=INFO
# Maximum size that the log file will be allowed to grow to before
# the log is rolled. Size is specified in bytes. The default value
# of 0, disables log rolling. May abbreviate with the 'k' (kb) or
# 'm' (mb) suffix. For example: 10m = 10 megabytes.
wrapper.logfile.maxsize=10m
# Maximum number of rolled log files which will be allowed before old
# files are deleted. The default value of 0 implies no limit.
wrapper.logfile.maxfiles=10
# Log Level for sys/event log output. (See docs for log levels)
wrapper.syslog.loglevel=NONE
#********************************************************************
# Wrapper General Properties
#********************************************************************
# Title to use when running as a console
wrapper.console.title=VMware Performance Charts
#********************************************************************
# Wrapper Windows NT/2000/XP Service Properties
#********************************************************************
# WARNING - Do not modify any of these properties when an application
# using this configuration file has been installed as a service.
# Please uninstall the service before modifying this section. The
# service can then be reinstalled.
# Name of the service
wrapper.name=vmware-perfcharts
# Display name of the service
wrapper.displayname=VMware Performance Charts
# Description of the service
wrapper.description=Supports viewing performance metrics on the resource usage of the vSphere inventory objects
# Service dependencies. Add dependencies as needed starting from 1
wrapper.startup.timeout=1800
# Mode in which the service is installed. AUTO_START, DELAY_START or DEMAND_START
wrapper.ntservice.starttype=AUTO_START
# Allow the service to interact with the desktop.
wrapper.ntservice.interactive=false
# restart trigger on stuck transactions
wrapper.filter.trigger.1=SESSION_THRESHOLD_ERROR
wrapper.filter.action.1=RESTART
# wrapper JVM port
wrapper.jvm.port=35200
wrapper.jvm.port.min=35200
wrapper.jvm.port.max=35999
# wrapper port
wrapper.port=36200
wrapper.port.min=36200
wrapper.port.max=36999
# Do not wait for main to return
#