dxber
Contributor
Contributor

vCenter Server 6.7 Tomcat Version?

Jump to solution

Hi,

We have VMware vCenter server Appliance VCSA 6.7.

I would like to know the Tomcat Web Server version running on vcsa 6.7.

Could you please help me to get the version details from vCenter server?

 

Regards,

 

0 Kudos
3 Solutions

Accepted Solutions
dxber
Contributor
Contributor

Thanks for the details.

Can you please help me how to check Tomcat version in VCSA?

View solution in original post

0 Kudos
Ajay1988
VMware Employee
VMware Employee

Well it should be "httpd -v" .

 

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ

View solution in original post

0 Kudos
Ajay1988
VMware Employee
VMware Employee

Glad It worked.

 

Seems you marked wrong comment as solution. Appreciate if you could update it

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ

View solution in original post

0 Kudos
14 Replies
scott28tt
VMware Employee
VMware Employee

Why do you want to know?

 


-------------------------------------------------------------------------------------------------------------------------------------------------------------
VMware Training & Certification blog
0 Kudos
dxber
Contributor
Contributor

We need to know the Tomcat version as there was some CVE-2021-40438 released, we would like to know that if we are impacted?

0 Kudos
Ajay1988
VMware Employee
VMware Employee

vCSA 6.7 till U3o (even all 7.0 versions)  are affected with CVE-2021-40438. A future version should contain a higher version of tomcat.

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
0 Kudos
dxber
Contributor
Contributor

Thanks for the details.

Can you please help me how to check Tomcat version in VCSA?

View solution in original post

0 Kudos
Ajay1988
VMware Employee
VMware Employee

Well it should be "httpd -v" .

 

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ

View solution in original post

0 Kudos
dxber
Contributor
Contributor

Thanks! its worked 🙂 

0 Kudos
Ajay1988
VMware Employee
VMware Employee

Glad It worked.

 

Seems you marked wrong comment as solution. Appreciate if you could update it

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ

View solution in original post

0 Kudos
tomas_strand
Contributor
Contributor

And now maybe CVE-2021-44228 ?

Perttu
Enthusiast
Enthusiast

There seems to be a plenty of different log4j version (and they are all affected <= 2.14.1 ) on a vCenter, and I wonder which is used where.

root@your-precious-vcenter [ ~ ]#$ find /usr/ -name "log4j-core*.jar"
/usr/lib/vmware-sso/vmware-sts/webapps/ROOT/WEB-INF/lib/log4j-core-2.13.1.jar
/usr/lib/vmware-dbcc/lib/log4j-core-2.8.2.jar
/usr/lib/vmware-lookupsvc/webapps/ROOT/WEB-INF/lib/log4j-core-2.13.1.jar
/usr/lib/vmware/common-jars/log4j-core-2.11.2.jar
/usr/lib/vmware/common-jars/log4j-core-2.8.2.jar
/usr/lib/vmware/common-jars/log4j-core-2.11.0.jar
/usr/lib/vmware/common-jars/log4j-core-2.13.1.jar
/usr/lib/vmware/cis_upgrade_runner/payload/component-scripts/sso/lstool/lib/log4j-core-2.13.1.jar

What is the official mitigation for
$ vpxd -v
VMware VirtualCenter 7.0.3 build-18901211

0 Kudos
tomas_strand
Contributor
Contributor

Seem like setting log4j2.formatMsgNoLookups to true. No idea how this will affect VMware products.

https://www.randori.com/blog/cve-2021-44228/

0 Kudos
Perttu
Enthusiast
Enthusiast

Independently to all following files? I suppose I can't give that as an additional execution argument for all Java processes that vSphere spawns. I suppose the vulnerable parts are all APIs and others that allow logging of user input in a possible un sanitised form.

root@your-vcenter [ ~ ]# find / -name "log4j*.xml"
/opt/vmware/share/config/log4j2.xml
/usr/lib/vmware-certificateauthority/config/log4j2.xml
/usr/lib/vmware-trustmanagement/config/log4j2.xml
/usr/lib/vmware-sso/vmware-sts/webapps/ROOT/WEB-INF/classes/log4j2.xml
/usr/lib/vmware-lookupsvc/webapps/ROOT/WEB-INF/classes/log4j2.xml
/usr/lib/vmware-topologysvc/config/log4j2.xml
/usr/lib/vmware-infraprofile/config/log4j2.xml
/usr/lib/vmware-certificatemanagement/config/log4j2.xml

0 Kudos
Perttu
Enthusiast
Enthusiast

Maybe the relevant configuration files are log4j.properties instead.

I found 35 such files; find / -name "log4j*.properties" | wc -l.  

Should that setting be applied independently to each of them? VMware, we need urgent official information about this.  

0 Kudos
tomas_strand
Contributor
Contributor

I think we need an official VMware respons to this. In the meantime I have firewalled every VMware product from the public internet. I know many people don't have that luxury. 

0 Kudos
Ajay1988
VMware Employee
VMware Employee

VMware is aware of the critical severity vulnerability in Apache Log4j2 (CVE-2021-44228) and is currently working on it. Should have it fixed in a future version soon.

Please follow https://www.vmware.com/security/advisories/VMSA-2021-0028.html

 

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
0 Kudos