Hi,
We have VMware vCenter server Appliance VCSA 6.7.
I would like to know the Tomcat Web Server version running on vcsa 6.7.
Could you please help me to get the version details from vCenter server?
Regards,
Thanks for the details.
Can you please help me how to check Tomcat version in VCSA?
Well it should be "httpd -v" .
Glad It worked.
Seems you marked wrong comment as solution. Appreciate if you could update it
Why do you want to know?
We need to know the Tomcat version as there was some CVE-2021-40438 released, we would like to know that if we are impacted?
vCSA 6.7 till U3o (even all 7.0 versions) are affected with CVE-2021-40438. A future version should contain a higher version of tomcat.
Thanks for the details.
Can you please help me how to check Tomcat version in VCSA?
Well it should be "httpd -v" .
Thanks! its worked 🙂
Glad It worked.
Seems you marked wrong comment as solution. Appreciate if you could update it
And now maybe CVE-2021-44228 ?
There seems to be a plenty of different log4j version (and they are all affected <= 2.14.1 ) on a vCenter, and I wonder which is used where.
root@your-precious-vcenter [ ~ ]#$ find /usr/ -name "log4j-core*.jar"
/usr/lib/vmware-sso/vmware-sts/webapps/ROOT/WEB-INF/lib/log4j-core-2.13.1.jar
/usr/lib/vmware-dbcc/lib/log4j-core-2.8.2.jar
/usr/lib/vmware-lookupsvc/webapps/ROOT/WEB-INF/lib/log4j-core-2.13.1.jar
/usr/lib/vmware/common-jars/log4j-core-2.11.2.jar
/usr/lib/vmware/common-jars/log4j-core-2.8.2.jar
/usr/lib/vmware/common-jars/log4j-core-2.11.0.jar
/usr/lib/vmware/common-jars/log4j-core-2.13.1.jar
/usr/lib/vmware/cis_upgrade_runner/payload/component-scripts/sso/lstool/lib/log4j-core-2.13.1.jar
What is the official mitigation for
$ vpxd -v
VMware VirtualCenter 7.0.3 build-18901211
Seem like setting log4j2.formatMsgNoLookups to true. No idea how this will affect VMware products.
Independently to all following files? I suppose I can't give that as an additional execution argument for all Java processes that vSphere spawns. I suppose the vulnerable parts are all APIs and others that allow logging of user input in a possible un sanitised form.
root@your-vcenter [ ~ ]# find / -name "log4j*.xml"
/opt/vmware/share/config/log4j2.xml
/usr/lib/vmware-certificateauthority/config/log4j2.xml
/usr/lib/vmware-trustmanagement/config/log4j2.xml
/usr/lib/vmware-sso/vmware-sts/webapps/ROOT/WEB-INF/classes/log4j2.xml
/usr/lib/vmware-lookupsvc/webapps/ROOT/WEB-INF/classes/log4j2.xml
/usr/lib/vmware-topologysvc/config/log4j2.xml
/usr/lib/vmware-infraprofile/config/log4j2.xml
/usr/lib/vmware-certificatemanagement/config/log4j2.xml
Maybe the relevant configuration files are log4j.properties instead.
I found 35 such files; find / -name "log4j*.properties" | wc -l.
Should that setting be applied independently to each of them? VMware, we need urgent official information about this.
I think we need an official VMware respons to this. In the meantime I have firewalled every VMware product from the public internet. I know many people don't have that luxury.
VMware is aware of the critical severity vulnerability in Apache Log4j2 (CVE-2021-44228) and is currently working on it. Should have it fixed in a future version soon.
Please follow https://www.vmware.com/security/advisories/VMSA-2021-0028.html