VMware Cloud Community
dxber
Contributor
Contributor
Jump to solution

vCenter Server 6.7 Tomcat Version?

Hi,

We have VMware vCenter server Appliance VCSA 6.7.

I would like to know the Tomcat Web Server version running on vcsa 6.7.

Could you please help me to get the version details from vCenter server?

 

Regards,

 

Reply
0 Kudos
3 Solutions

Accepted Solutions
dxber
Contributor
Contributor
Jump to solution

Thanks for the details.

Can you please help me how to check Tomcat version in VCSA?

View solution in original post

Reply
0 Kudos
Ajay1988
Expert
Expert
Jump to solution

Well it should be "httpd -v" .

 

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ

View solution in original post

Reply
0 Kudos
Ajay1988
Expert
Expert
Jump to solution

Glad It worked.

 

Seems you marked wrong comment as solution. Appreciate if you could update it

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ

View solution in original post

Reply
0 Kudos
14 Replies
scott28tt
VMware Employee
VMware Employee
Jump to solution

Why do you want to know?

 


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
Reply
0 Kudos
dxber
Contributor
Contributor
Jump to solution

We need to know the Tomcat version as there was some CVE-2021-40438 released, we would like to know that if we are impacted?

Reply
0 Kudos
Ajay1988
Expert
Expert
Jump to solution

vCSA 6.7 till U3o (even all 7.0 versions)  are affected with CVE-2021-40438. A future version should contain a higher version of tomcat.

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
Reply
0 Kudos
dxber
Contributor
Contributor
Jump to solution

Thanks for the details.

Can you please help me how to check Tomcat version in VCSA?

Reply
0 Kudos
Ajay1988
Expert
Expert
Jump to solution

Well it should be "httpd -v" .

 

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
Reply
0 Kudos
dxber
Contributor
Contributor
Jump to solution

Thanks! its worked 🙂 

Reply
0 Kudos
Ajay1988
Expert
Expert
Jump to solution

Glad It worked.

 

Seems you marked wrong comment as solution. Appreciate if you could update it

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
Reply
0 Kudos
tomas_strand
Enthusiast
Enthusiast
Jump to solution

And now maybe CVE-2021-44228 ?

Perttu
Enthusiast
Enthusiast
Jump to solution

There seems to be a plenty of different log4j version (and they are all affected <= 2.14.1 ) on a vCenter, and I wonder which is used where.

root@your-precious-vcenter [ ~ ]#$ find /usr/ -name "log4j-core*.jar"
/usr/lib/vmware-sso/vmware-sts/webapps/ROOT/WEB-INF/lib/log4j-core-2.13.1.jar
/usr/lib/vmware-dbcc/lib/log4j-core-2.8.2.jar
/usr/lib/vmware-lookupsvc/webapps/ROOT/WEB-INF/lib/log4j-core-2.13.1.jar
/usr/lib/vmware/common-jars/log4j-core-2.11.2.jar
/usr/lib/vmware/common-jars/log4j-core-2.8.2.jar
/usr/lib/vmware/common-jars/log4j-core-2.11.0.jar
/usr/lib/vmware/common-jars/log4j-core-2.13.1.jar
/usr/lib/vmware/cis_upgrade_runner/payload/component-scripts/sso/lstool/lib/log4j-core-2.13.1.jar

What is the official mitigation for
$ vpxd -v
VMware VirtualCenter 7.0.3 build-18901211

Reply
0 Kudos
tomas_strand
Enthusiast
Enthusiast
Jump to solution

Seem like setting log4j2.formatMsgNoLookups to true. No idea how this will affect VMware products.

https://www.randori.com/blog/cve-2021-44228/

Reply
0 Kudos
Perttu
Enthusiast
Enthusiast
Jump to solution

Independently to all following files? I suppose I can't give that as an additional execution argument for all Java processes that vSphere spawns. I suppose the vulnerable parts are all APIs and others that allow logging of user input in a possible un sanitised form.

root@your-vcenter [ ~ ]# find / -name "log4j*.xml"
/opt/vmware/share/config/log4j2.xml
/usr/lib/vmware-certificateauthority/config/log4j2.xml
/usr/lib/vmware-trustmanagement/config/log4j2.xml
/usr/lib/vmware-sso/vmware-sts/webapps/ROOT/WEB-INF/classes/log4j2.xml
/usr/lib/vmware-lookupsvc/webapps/ROOT/WEB-INF/classes/log4j2.xml
/usr/lib/vmware-topologysvc/config/log4j2.xml
/usr/lib/vmware-infraprofile/config/log4j2.xml
/usr/lib/vmware-certificatemanagement/config/log4j2.xml

Reply
0 Kudos
Perttu
Enthusiast
Enthusiast
Jump to solution

Maybe the relevant configuration files are log4j.properties instead.

I found 35 such files; find / -name "log4j*.properties" | wc -l.  

Should that setting be applied independently to each of them? VMware, we need urgent official information about this.  

Reply
0 Kudos
tomas_strand
Enthusiast
Enthusiast
Jump to solution

I think we need an official VMware respons to this. In the meantime I have firewalled every VMware product from the public internet. I know many people don't have that luxury. 

Reply
0 Kudos
Ajay1988
Expert
Expert
Jump to solution

VMware is aware of the critical severity vulnerability in Apache Log4j2 (CVE-2021-44228) and is currently working on it. Should have it fixed in a future version soon.

Please follow https://www.vmware.com/security/advisories/VMSA-2021-0028.html

 

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
Reply
0 Kudos