vCenter

 View Only
  • 1.  log4j

    Posted Dec 13, 2021 05:43 PM

    I am using vcenter appliance 6.5 u2. vmware has not released a patch for log4j yet. vmware offers a temporary solution. Do you think I should wait for the patch or apply the workaround?



  • 2.  RE: log4j

    Posted Dec 13, 2021 06:08 PM

    I'm also trying to figure out what the lines below actually do in vcenter for the workaround..

     

     



  • 3.  RE: log4j

    Posted Dec 13, 2021 06:44 PM

    For the workaround on vCenter 6.5, do I make all the changes on the services as recommended here.

    https://kb.vmware.com/s/article/87081?lang=en_US

     

    Do all of these services run by default for this version?

    stsd, idmd, psc-client, and vMon

     

    Thanks,

    TT



  • 4.  RE: log4j

    Posted Dec 13, 2021 08:46 PM

    My question is, should I wait for the patch or apply the solution urgently? Are you applying the workaround to your infrastructure in the production environment or are you waiting for my patch?

    what exactly is the meaning of temporary solution



  • 5.  RE: log4j

    Posted Dec 13, 2021 08:56 PM

    Most people would, its the highest cve score possible, meaning that it's the worst that it can get. Review the scoring at a site like this

    https://nvd.nist.gov/vuln-metrics/cvs

    if you don't do the workaround any machine is at risk. How adverse you are to that risk is up to you, if these apps are in their own network that requires multiple jumps to get to you may not be that concerned because they need access to the network. To me not doing the workaround is like watching your house burn while you hope someone is coming, you can do something now so I would suggest that you d